b"  September 15, 2005\n\n\n\n\nInformation Technology\nManagement\nReport on Defense Civilian Pay\nSystem Controls Placed in Operation\nand Tests of Operating Effectiveness\nfor the Period October 1, 2004\nthrough June 30, 2005 (D-2005-106)\n\n\n\n\n                  Department of Defense\n                 Office of Inspector General\n\n                                   Constitution of\n                                  the United States\n\n     A Regular Statement of Account of the Receipts and Expenditures of all public\n     Money shall be published from time to time.\n                                                             Article I, Section 9\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit, Audit Followup and Technical Support at\n(703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact Audit Followup and\nTechnical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\nIdeas and requests can also be mailed to:\n\n                  ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                          Arlington, VA 22202-4704\n\x0c                              INSPECTOR GENERAL\n                             DEPARTMENT OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                         ARLINGTON, VIRGINIA 22202-4764\n\n\n\n\n                                                                       September 15,2005\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE\n                 (COMPTR0LLER)JCHIEF FINANCIAL OFFER\n               ASSISTANT SECRETARY OF DEFENSE (NETWORKS\n                 AND INFORMATION INTEGRATION)/DOD CHIEF\n                 NFORMATION OFFICER\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\nSUBJECT: Report on Defense CiviIian Pay System Controls Placed in Operation and\n         Tests of Operating Effectiveness for the Period October 1,2004 through\n         June 30,2005 (D-2005-106)\n\n        We are providing this report for your information and use. No written response to\nthis report is required. Therefore, we are publishing this report in final form.\n         We appreciate the courtesies extended to the staff. Questions should be directed\nto Mr. Michael Perkins at (703 1 325-3557 (DSN 22 1-3557) or Sean J . Keaney at\n(703) 428- 1448 (DSN 328-1 448). The audit team members are listed inside the back\ncover.\n\n                                By direction of the Deputy lnspecior General for Auditing:\n\n\n                                       kF\n                                       >--\n                                          g           w      -\n                                            au3 J. Granetto, CPA\n                                                                  M&\n                                        Assistant Inspector General\n                                        Defense Financial Auditing\n                                                   Service\n\x0c\x0cTable of Contents\nForward                                                                   i\n\nSection I\n      Independent Service Auditor\xe2\x80\x99s Report                                1\n\nSection II\n      Description of DCPS Operations and Controls Provided by DFAS and\n         DISA                                                            9\n\nSection III\n      Control Objectives, Control Activities, and Tests of Operating\n         Effectiveness                                                   21\n\nSection IV\n      Supplemental Information Provided by DFAS and DISA                 73\n\nAcronyms and Abbreviations                                               77\n\nReport Distribution                                                      79\n\x0c\x0c                                   FOREWARD\nThis report is intended for the use of Defense Finance and Accounting Service (DFAS)\nand Defense Information Systems Agency (DISA) management, its user organizations,\nand the independent auditors of its user organizations. DoD personnel who manage and\nuse the Defense Civilian Pay System (DCPS) will also find this report of interest as it\ncontains information about DCPS general and application controls.\n\nDCPS is a pay processing system used to pay DoD civilian employees, as well as\nemployees at several other Federal entities, including the Departments of Energy and\nHealth and Human Services, and the Executive Office of the President. In 2004, DCPS\nprocessed approximately $42.3 billion of pay transactions and paid approximately\n762,000 employees on a bi-weekly basis.\n\nThe DoD Office of Inspector General (DoD OIG) is implementing a long-range strategy\nto conduct audits of DoD financial statements. The Chief Financial Officers Act of 1990\n(P.L. 101-576), as amended, mandates that agencies prepare and conduct audits of\nfinancial statements. The reliability of information in DCPS directly impacts the Defense\nDepartment\xe2\x80\x99s ability to provide reliable, and ultimately auditable, financial statements;\nwhich is key to achieving the goals of the Chief Financial Officers Act.\n\nThis audit assessed the application and general computer controls over DCPS and its\nrelated processing. Those application and general computer controls are managed and\nmaintained by DFAS and DISA. This report provides an opinion on the fairness of\npresentation, the adequacy of design, and the operating effectiveness of key application\nand general computer controls that are relevant to audits of user organization financial\nstatements. As a result, this audit precludes the need for multiple audits of DCPS\ncontrols previously performed by user organizations to plan or conduct financial\nstatement and performance audits. This audit will also provide, in a separate audit report,\nrecommendations to management for correction of identified control deficiencies.\nEffective internal control is critical to achieving reliable information for all management\nreporting and decision making purposes.\n\nCertain DCPS general computer controls are maintained by DISA-Mechanicsburg.\nDISA-Mechanicsburg was included in the scope of a separate DISA-wide general\ncomputer controls audit that provided a Service Auditor\xe2\x80\x99s Report, Report No.\nD-2005-105, \xe2\x80\x9cReport on Defense Information Systems Agency, Center for Computing\nServices Controls Placed in Operation and Tests of Operating Effectiveness for the\nPeriod October 1, 2004 through April 30, 2005,\xe2\x80\x9d September 6, 2005. This DISA-wide\naudit included certain general computer controls that were directly related to DCPS. In\norder to reduce duplication of effort and minimize the audit footprint on DISA, the\nDCPS-related general computer controls maintained by DISA-Mechanicsburg and\ncovered by the DISA-wide audit were excluded from the scope of this SAS 70 audit. The\ncontrol objectives that were not covered for DISA-Mechanicsburg as part of this audit\nincluded:\n\n       \xe2\x80\xa2   Control Objective 1: Risks are periodically assessed.\n\n       \xe2\x80\xa2   Control Objective 3: A security management structure has been established\n           and that Information security responsibilities are clearly assigned and\n           expected behavior of all personnel is in place.\n\n\n                                             i\n\x0c       \xe2\x80\xa2   Control Objective 20: Passwords, tokens, or other devices are used to identify\n           and authenticate users.\n\n       \xe2\x80\xa2   Control Objective 46: Individuals requiring access to sensitive information are\n           processed for access authorization in accordance with DoD personnel security\n           policies.\n\n       \xe2\x80\xa2   Control Objective 58: Access authorizations are appropriately limited.\n\n       \xe2\x80\xa2   Control Objective 62: Incompatible duties have been identified and policies\n           implemented to segregate these duties.\n\n       \xe2\x80\xa2   Control Objective 63: System management job descriptions have been\n           documented.\n\n       \xe2\x80\xa2   Control Objective 64: System management employees understand their duties\n           and responsibilities.\n\n       \xe2\x80\xa2   Control Objective 65: Management reviews effectiveness of control\n           techniques.\n\n       \xe2\x80\xa2   Control Objective 66: Formal procedures guide system management personnel\n           in performing their duties.\n\n       \xe2\x80\xa2   Control Objective 68: Active supervision and review are provided for all\n           system management personnel.\n\nCertain control objectives listed above were still relevant to other locations included in\nthe scope of this DCPS audit (for example, the Technology Services Organization [TSO])\nand are included in this report for those locations. In certain situations where the above\ncontrol objective would only apply to DISA-Mechanicsburg and was not tested, we\ninserted \xe2\x80\x9cControl objective left intentionally blank\xe2\x80\x9d in order to preserve our control\nobjective numbering scheme. User organizations and their auditors who use this report as\npart of their audit planning procedures should also read the Report No. D-2005-105,\n\xe2\x80\x9cReport on Defense Information Systems Agency, Center for Computing Services\nControls Placed in Operation and Tests of Operating Effectiveness for the Period\nOctober 1, 2004 through April 30, 2005,\xe2\x80\x9d September 6, 2005 to understand the design\nand operating effectiveness of the general computer controls maintained by\nDISA-Mechanicsburg.\n\n\n\n\n                                            ii\n\x0cSection I: Independent Service Auditor\xe2\x80\x99s Report\n\n\n\n\n                       1\n\x0c\x0c                             INSPECTOR GENERAL\n                            DEPARTMENTOFDEFENSE\n                             400 ARMY NAVY DRlVE\n                        ARLINGTON. VIRGINIA 22202-4704\n\n\n\n\n                                                                      September 15,2005\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE\n                 (COMPTR0LLER)ICHIEF FlNANClAL OFFER\n               ASSISTANT SECRETARY OF DEFENSE (NETWORKS\n                 AND INFOFtMATTON INTEGRAT1ON)JDOD CHIEF\n                 PlFORMATPON OFFICER\n               DRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSE NFORMATTON SYSTEMS\n                 AGENCY\nSUBJECT: Report on the Defense Civilian Pay System Controls Placed in Operation and\n         Tests of Operating Effectiveness for the Period October I, 2004 through\n         June 30,2005\n\nWe have examined the accompanying description of the general computer and\napplication controls related to the Defense Civilian Pay System (DCPS) (Section 11).\nDCPS is sponsored and used by the Defense Finance and Accounting Senice (DFAS)\nand maintained and technically supported by the Defense Information Systems Agency\n(DISA) and technical support elements of DFAS. As such, the DCPS general computer\nand application controls are managed by both DISA and DFAS. Our examination\nincluded procedures to obtain reasonable assurance about whether (1) the accompanying\ndescription presents fairly, in all material respects, the aspects of the controls at DFAS\nand DFSA that may be relevant to a DCPS user organization's internal controls as it\nrelates to an audit of financial statements; (2) the controls included in the description\nwere suitably designed to achieve the control objectives specified in the description, if\nthose lconltmls were complied with satisfactorily, and user organizations applied those\naspects of internal controls contemplated in the design of the controls at DFAS and\nDISA; and (33 such controls had been placed in operation as of June 30,2005.\nThe control objectives were specified by the Department of Defense Office of Inspector\nGeneral (DoD OIG). Our examination was performed in accordance with standards\nestablished by the American Institute of Certi fled Public Accountants and the standards\napplicable to financial audits contained in Government Auditing Standards issued by the\nComptroller General of the United States, and included those procedures we considered\nnecessary in the circumstances to obtain a reasonable basis for rendering our opinion.\nThe accompanying description includes only those application control objectives and\nrelated controls resident at the Charleston, SC; Pensacola, FL; and Denver, CO payroll\noffices and does not include application control objectives and related controls at the\nNational Security Agency (NSA) payroll office. In addition, DCPS processes\napproximately 140 interface files from DoD and external systems. Examples of these\ninterface systems include the Defense Civilian Personnet Data System, Automated Time\nand Attendance and Product ion System, Automated Disbursing System, and the Defense\nJoint Accounting System . The accompanying description does not include control\n\x0cobjectives and general and application controls related to the systems that interface with\nDCPS. Our examination did not extend to the controls resident at the National Security\nAgency payroll office and related systems that interface with DCPS.\n\nOur examination was conducted for the purpose of forming an opinion on the description\nof the DCPS general and application controls at DFAS and DISA (Section II).\nInformation about business continuity plans and procedures at DFAS and DISA, as\nprovided by those organizations and included in Section IV, is presented to provide\nadditional information to user organizations and is not a part of the description of controls\nat DFAS and DISA. The information in Section IV has not been subjected to the\nprocedures applied in the examination of the aforementioned description of the controls\nat DFAS and DISA related to their business continuity plans and procedures and,\naccordingly, we express no opinion on the description of the business continuity plans\nand procedures provided by DFAS and DISA.\n\nAs discussed in the accompanying \xe2\x80\x9cDescription of DCPS Operations and Controls\nProvided by DFAS and DISA\xe2\x80\x9d (Section II), DISA-Mechanicsburg has processes in place\nfor testing and implementing system software changes. System software change testing\nresults were not required to be documented and maintained. In addition, the charter for\nthe local Configuration Control Board at DISA-Mechanicsburg was not approved. As a\nresult, the design of the controls did not provide reasonable assurance that the control\nobjective \xe2\x80\x9csystem software changes are authorized, tested, and approved and\ndocumented before implementation\xe2\x80\x9d would be achieved.\n\nIn our opinion, the accompanying description of the general computer and application\ncontrols at DFAS and DISA related to DCPS (Section II) presents fairly, in all material\nrespects, the relevant aspects of the controls at DFAS and DISA that had been placed in\noperation as of June 30, 2005. Also, in our opinion, the controls, except for the design\ndeficiency referred to in the preceding paragraph, as described, are suitably designed to\nprovide reasonable assurance that the specified control objectives would be achieved if\nthe described controls were complied with satisfactorily and users applied those aspects\nof internal control contemplated in the design of the controls at DFAS and DISA.\n\nIn addition to the procedures that we considered necessary to render our opinion as\nexpressed in the previous paragraph, we applied tests to specified controls, listed in\nSection III, to obtain evidence about their effectiveness in meeting the related control\nobjectives described in Section III during the period of October 1, 2004 through June 30,\n2005. The specific control objectives, controls, and the nature, timing, extent, and results\nof the tests are documented in Section III. This information has been provided to DCPS\nuser organizations and to their auditors to be taken into consideration, along with\ninformation about the user organizations\xe2\x80\x99 internal control environments, when making\nassessments of control risk for such user organizations.\n\nIn performing our examination, we identified the following operating effectiveness\ndeficiencies related to the controls described in the \xe2\x80\x9cDescription of DCPS Operations and\nControls Provided by DFAS and DISA\xe2\x80\x9d (Section II):\n\n       DCPS User Access\n       The accompanying description includes control activities relating to DFAS\n       processes for providing access to DCPS. For every DCPS user, DFAS required a\n       Systems Access Authorization Request (SAAR) form be completed, indicating\n       the user\xe2\x80\x99s access to DCPS and the authorization by an appropriate supervisor\n       granting such access. Upon examining a selection of 45 randomly selected SAAR\n\n                                             4\n\x0cforms for payroll office users\xe2\x80\x99 access to DCPS, we identified seven SAAR forms\nwhere the access granted in DCPS did not match the access authorized on the\nSAAR form. In addition, one of 45 payroll office user\xe2\x80\x99s SAAR forms selected for\ntesting did not contain a supervisor\xe2\x80\x99s signature. Upon examining a selection of\n45 randomly selected SAAR forms for non-payroll office users\xe2\x80\x99 access to DCPS,\nwe identified four SAAR forms where the access granted in DCPS did not match\nthe access authorized on the SAAR form. In addition, four of the 45 non-payroll\noffice users\xe2\x80\x99 SAAR forms could not be located. As a result, the following control\nobjectives that rely on this control may not have been fully achieved during the\nperiod of October 1, 2004 through June 30, 2005:\n\n       \xe2\x80\x9cControls provide reasonable assurance that all application users are\n       appropriately identified and authenticated. Access to the application and\n       output is restricted to authorized users for authorized purposes,\xe2\x80\x9d\n\n       \xe2\x80\x9cControls provide reasonable assurance that changes to the payroll\n       master files and withholding tables are authorized, input, and processed\n       timely,\xe2\x80\x9d and\n\n       \xe2\x80\x9cControls provide reasonable assurance that data transmissions in DCPS\n       from user organizations are authorized, complete, accurate and secure.\xe2\x80\x9d\n\nDCPS Processing Error Monitoring\n\nThe accompanying description includes control activities relating to DFAS\nprocedures for processing errors from interfacing personnel systems. The\nPersonnel Interface Invalid Report (P6606R01) is a key control for monitoring\nand resolving DCPS interface processing errors. At the DFAS-Denver payroll\noffice, the Personnel Interface Invalid Reports could not be provided for the\nperiod October 1, 2004 through March 27, 2005, which represented 18 of the\n45 reports randomly selected for testing. Furthermore, one of the 27 Personnel\nInterface Invalid Reports for the period March 28, 2005 to June 30, 2005 could\nnot be located (leaving 26 reports available for review). The available Personnel\nInterface Invalid Reports subsequent to March 27, 2005 were examined to\ndetermine if the reports were annotated, indicating the report exceptions were\nresolved. We identified that annotations on 23 of the 26 available Personnel\nInterface Invalid Reports for the period of March 28, 2005 to June 30, 2005 did\nnot include the corrective actions taken, 18 out of the 26 Personnel Interface\nInvalid Reports provided were not dated as completed, and 12 of the 26 Personnel\nInterface Invalid Reports were not initialed as completed. At the\nDFAS-Charleston payroll office, because of the inability of the document\nmanagement system that stores electronic copies of the Personnel Interface\nInvalid Report to allow annotation of the Personnel Interface Invalid Reports, and\nonly a random review of the reports by management (instead of a review of all\nreports), the audit team concluded that the controls are not in place to ensure that\nthe Personnel Interface Invalid Reports are properly corrected, annotated, and\nreviewed by supervisors. Therefore, testing of the reports at the\nDFAS-Charleston Payroll Office was not performed. At the DFAS-Pensacola\npayroll office, 10 of the 44 Personnel Interface Invalid Reports selected for testing\nwere not available for review. The remaining 34 reports that were reviewed did\nnot always have the final resolution of errors annotated in the report. Without\ndocumented evidence of supervisory reviews and actions taken to address items\non this report, there is a lack of a documented audit trail related to the use of this\n\n\n                                      5\n\x0creport as a control. As a result, the following control objectives that rely on this\ncontrol may not have been fully achieved during the period of October 1, 2004\nthrough June 30, 2005:\n\n       \xe2\x80\x9cControls provide reasonable assurance that changes to the payroll\n       master files and withholding tables are authorized, input, and processed\n       timely,\xe2\x80\x9d\n\n       \xe2\x80\x9cControls provide reasonable assurance of the integrity and reliability of\n       DCPS data for financial reporting purposes,\xe2\x80\x9d\n\n       \xe2\x80\x9cControls provide reasonable assurance that fiscal year-end, leave-year-\n       end and calendar year-end processing occurs in accordance with\n       established Government-wide and agency guidelines,\xe2\x80\x9d and\n\n       \xe2\x80\x9cControls are reasonable to ensure that transactions from interfacing\n       systems are subjected to the payroll system edits, validations and error-\n       correction procedures.\xe2\x80\x9d\n\nDCPS Interfaces\n\nAll DCPS interfaces should have a documented Memorandum of Agreement.\nThe Memorandum of Agreement documents key information about an interface,\nsuch as impacted parties, interconnection requirements, points of contact, security\nrequirements, technical platform information, interface file information, and\ndesignated signatories. However, 43 out of 148 DCPS interfaces did not have a\ndocumented Memorandum of Agreement in place. As a result, the control\nobjective \xe2\x80\x9cowners determine disposition and sharing of data\xe2\x80\x9d may not have been\nfully achieved during the period of October 1, 2004 through June 30, 2005.\n\nDCPS System Access\n\nFor every DCPS system support user at DISA-Mechanicsburg, DISA required a\nsystem access request form (Form DD 2875) to be completed, including the\naccess the user required within DCPS and the appropriate supervisor\xe2\x80\x99s\nauthorization granting such access. For four out of 45 DISA-Mechanicsburg\npersonnel haphazardly selected for testing, justification for access was not\ndetailed on the system access request form. As a result, the control objective\n\xe2\x80\x9caccess settings have been implemented in accordance with the access\nauthorizations established by the resource owners\xe2\x80\x9d may not have been fully\nachieved during the period of October 1, 2004 through June 30, 2005.\n\nDCPS Application Change Controls\nTesting of DCPS application changes are required to be documented. Testing\ndocumentation for 47 of 50 sampled items selected for testing could not be\nprovided by DFAS during the audit. As a result, the control objective \xe2\x80\x9cchanges\nare controlled as programs progress through testing to final approval to ensure\ncompleteness, authorization, software quality requirements and validation\nmethods that are focused on the minimization of flawed or malformed software\nthat can negatively impact integrity or availability (e.g., buffer overruns) are\nspecified for all software development initiatives\xe2\x80\x9d may not have been fully\nachieved during the period of October 1, 2004 through June 30, 2005.\n\n\n                                      6\n\x0cIn our opinion, except for the deficiencies in operating effectiveness noted in the\npreceding paragraphs, the controls that were tested, as described in Section 111, were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance\nthat the control objectives specified in Section 111 were achieved during the period of\nOctober I , 2004 through June 30,2005. However, the scope of our engagement did not\ninclude tests to determine whether contro! objectives not listed in Section I11 were\nachieved; accordingly, we express no opinion on the achi wement of control objectives\nnot included in Section 111.\nThe relative effectiveness and significance of specific controls at QFAS and DISA, and\ntheir effect on assessments of control risk at user organizations, are dependent on their\ninteraction with the internal control environment and other factors present at individual\nuser organizations. We have performed no procedures to evaluate the effectiveness of\ninternal controls placed in operation at individual user organizations.\nThe description of the controls at DFAS and DISA i s as of June 30,2005, and\ninformation about tests of their operating effectiveness covers the period of October 1,\n2004 through June 30,2005. Any projection of such information to the future is subject\nto the risk that, because of change, the description may no longer portray the system in\nexistence. The potential effectiveness of specific controls at DFAS and DISA is subject\nto inherent limitations and, accordingly, errors or fraud may occur and not be detected.\nFurthermore, the projection of any concEusions, based on our findings, to future periods is\nsubject to the risk that: (1) changes made to the system or controls, (2) changes in\nprocessing requirements, or (33 changes required because of the passage of time may alter\nthe validity of such conclusions.\nThis report is intended solely for use by DCPS management, its user organizations, and\nthe independent auditors of such user organizations.\n                               By direction of the Deputy Inspector General for Auditing:\n\n\n                                      JL&AAAJ                d M&\n                                           aul J. Granetto, CPA\n                                       Assistant Inspector General\n                                       Defense Financial Auditing\n                                                  Service\n\x0c\x0cSection II: Description of DCPS Operations and Controls\n              Provided by DFAS and DISA\n\n\n\n\n                           9\n\x0c\x0cII. Description of DCPS Operations and Controls Provided by\n    DFAS and DISA\n\nA. Overview of DCPS\nPurpose of DCPS\n\nIn 1991, the DoD selected DCPS to serve as its standard payroll system for use by all\nDoD activities paying civilian employees, except Local Nationals and those funded by\nNon-appropriated Funds and Civilian Mariners. Before becoming the DoD-wide civilian\npay system, DCPS was the Navy civilian pay system, which had been in operation since\n1988. From a life cycle perspective, DCPS is in the maintenance phase, with changes\nmainly being driven by legislative and functional enhancements. The DCPS program\nmission is to process payroll for DoD civilian employees in accordance with existing\nregulatory, statutory, and financial information requirements relating to civilian pay\nentitlements and applicable policies and procedures. The DoD civilian pay program must\nsatisfy the complex and extensive functional, technical, and interface requirements\nassociated with the DoD civilian pay function. The functional areas include: employee\ndata maintenance; time and attendance; leave; pay processing; deductions; retirement\nprocessing; debt collection; special actions; disbursing and collection; reports processing\nand reconciliation; and record maintenance and retention. DCPS provides standard\ninterface support to various accounting, financial management, and personnel systems.\n\nDCPS began paying the Executive Office of the President (EOP) in 1998. As part of the\nPresident\xe2\x80\x99s Management Agenda e-Payroll initiative, DFAS was selected as one of four\nfederal payroll providers to service the entire executive branch of the Federal\ngovernment. DFAS began processing payroll for the Department of Energy (DOE) in\n2003 and the Department of Health and Human Services (HHS) in 2005. DCPS currently\nprocesses pay for approximately 762,000 employees.\n\nDCPS is used primarily by approximately 350 payroll processing personnel at three\nDFAS payroll offices located in Pensacola, FL; Charleston, SC, and Denver, CO. DCPS\nis also used by NSA1. Additional users are the Customer Service Representatives (CSRs)\nat customer activities and sites. Payroll for DoD civilians is processed by all three DFAS\npayroll offices. The EOP payroll is processed by the Pensacola payroll office and the\nDOE and HHS payrolls are processed by the Charleston payroll office.\n\nDCPS Support Functions\n\nThe DFAS Military and Civilian Pay Services (M&CPS) Business Line (under the\ncognizance of the DFAS Director) provides high-level management control and\ncoordination within DoD and for external customers. The Civilian Pay Services Product\nLine (within the M&CPS) has overall daily responsibility for application, operation,\ninterpretation and implementation of DCPS, as well as responsibility for coordinating\nwith external users and new customers. These responsibilities include requirements\nmanagement, functional analysis, information assurance, and user documentation\nprocesses. The system is maintained and executed on the DISA mainframe platform at\n\n\n1The NSA payroll office is not included in the scope of this \xe2\x80\x9cDescription of DCPS Operations and Controls\nProvided by DFAS and DISA\xe2\x80\x9d.\n\n\n                                                   11\n\x0cthe Defense Enterprise Computing Center, Mechanicsburg, Pennsylvania (DECC\nMECH)2. The Technology Services Engineering Organization in Pensacola (TSOPE)\nprovides DCPS software engineering and operations support. Within TSOPE, several\ngroups provide DCPS support. The Software Engineering Division provides technical\ndesign, programming, unit testing, and system documentation. Integration testing and\nevaluation processes are performed within the Software Test and Evaluation Division.\nProject Support provides system software, telecommunication, computer resource tools,\nand database support. DCPS Software Quality Assurance monitors the software\nengineering process and provides recommendations for improvement. The Systems\nManagement Directorate provides configuration management, release management,\nimplementation status, and customer support.\n\nDCPS Systems Architecture\n\nDCPS has a two-tiered architecture comprised of the following:\n\n        \xe2\x80\xa2   Mainframe hardware and software components - used as a repository for the\n            collection and accumulation of data, and to provide centralized, biweekly\n            processing of civilian pay and its attendant functions (e.g., electronic funds\n            transfer, generation of leave, and earnings statements).\n\n        \xe2\x80\xa2   Remote user/print spooler hardware and software - used to collect and/or pre-\n            process data at customer sites, provide connectivity to DCPS mainframe\n            components, and support printing of mainframe generated outputs (e.g.,\n            reports, timesheets) at customer locations. These components are largely\n            customer-owned and operated, and include local area networks (LANs),\n            personal computers, and a diverse assortment of printers and software that\n            operates and connects them. A limited number of mid-tier (minicomputer)\n            systems have been maintained by DFAS at selected DFAS sites to handle\n            specialized printing requirements (e.g., paychecks). Other offloaded print\n            services, such as bulk printing for DCPS payroll offices and printing of Leave\n            and Earnings Statements, are performed on PC/workstation hardware\n            maintained by the Defense Automated Printing Service (DAPS) at sites\n            located in various U.S. and overseas geographical regions.\n\nThe two tiers of the DCPS architecture are connected via DoD-maintained networks\ncomprised of Internet Protocol (IP)-based (e.g., Non-Classified Internet Protocol Router\nNetwork (NIPRNET)) and Systems Network Architecture (SNA)-based (leased line)\nservices. These networks connect DCPS to a wide variety of external, non-DCPS sites\n(mainframes, mid-tiers, and PCs) that supply or exchange data with DCPS on a regular\nbasis, mainly through electronic file transfers. Examples of external interface sites\ninclude the Defense Civilian Personnel Data System, Federal Reserve Board, Thrift\nSavings Plan, Department of Treasury, and non-DoD users such as DOE, HHS and EOP.\n\n\n\n\n2According to DISA, Mechanicsburg is currently a DECC until September 2, 2005. Effective September 3,\n2005, all DECCs are being converted to Systems Management Centers.\n\n\n\n                                                 12\n\x0cThe main technical components of DCPS include the following attributes:\n\n       \xe2\x80\xa2   DCPS is housed in a separate logical domain on an IBM Z900 mainframe\n           computer located at DECC MECH;\n\n       \xe2\x80\xa2   The IBM mainframe operating system software is Z/OS release 1.4;\n\n       \xe2\x80\xa2   DCPS is written in COBOL II language;\n\n       \xe2\x80\xa2   First point of entry security protection mechanisms are provided by Access\n           Control Facility 2 (ACF2);\n\n       \xe2\x80\xa2   DECC MECH provides four web servers that service all applications that\n           support DCPS. These servers accept the users\xe2\x80\x99 secure web requests by\n           supplying a menu screen with options for each application to the DCPS\n           LOGON SCREEN, where individuals enter their ACF2 login user IDs and\n           passwords; and\n\n       \xe2\x80\xa2   Third-party software packages are used for DCPS process scheduling and\n           monitoring.\n\nThe payroll offices and associated CSRs have access to DCPS via dedicated leased lines,\nvarious DoD networks, and through Secure Web Access. Secure Web Access enables\nsecure transaction processing across the NIPRNET. IBM\xe2\x80\x99s Host On Demand was used to\nestablish the Secure Web Access infrastructure. DCPS users interact directly with the\nDCPS application through \xe2\x80\x9c3270\xe2\x80\x9d emulation using Personal Computer/Advanced\nTechnology keyboard mapping terminals or terminal simulation programs for\ncommunication with DCPS. This permits application-defined formatted screens to be\ndisplayed with protected static text and unprotected fields for data entry. The payroll\noffices are structured in accordance with DFAS standard staffing policy and conduct\nbusiness using standard operating and support procedures. They operate on a 24-hour\nbasis to provide payroll service to customers located in various time zones and are\nresponsible for the full range of pay processing functions and services. As circumstances\ndictate, the offices serve as back-up operations sites for each other when contingency\nprocedures must be invoked.\n\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6, 2003\n(DoDI 8500.2), outlines specific control requirements that DoD systems should achieve\nbased on their designated Mission Assurance Category (MAC). According to the current\nDCPS System Security Authorization Agreement (SSAAs) as of June 30, 2005, the MAC\nlevel for the DCPS application is \xe2\x80\x9cMAC III\xe2\x80\x9d and its supporting enclave at DISA-\nMechanicsburg is \xe2\x80\x9cMAC II\xe2\x80\x9d.\n\n\n\n\n                                           13\n\x0cDCPS Data Flow\n\nFigure 1 below depicts the DCPS data flow as of April 2005:\n       Figure 1\n\n\n\n\nOverview of System Interfaces\n\nDCPS is a combination of on-line and batch programs that support the requirements of a\nbi-weekly, and in the case of the President, monthly payroll, for over 762,000 civilian\nemployees in the Federal government based on data feeds from numerous personnel,\naccounting, and time and attendance systems. Transactions to update employee data,\nadjust leave balances and payments, and report time and attendance may be input daily to\nspread the online workload and to obtain labor data. However, the focal point of the\nsystem is the bi-weekly process. Non bi-weekly process functions occur monthly,\nquarterly, annually, or as required, and are in support of or a result of, multiple bi-weekly\npay cycles. DCPS supports a standard personnel interface, decentralized time and\nattendance reporting, and the CSR structure.\n\nDCPS accepts input from three primary areas: CSRs, timekeepers, and personnel offices.\nDCPS receives or creates approximately 140 interface files that, among other functions:\n\n       \xe2\x80\xa2   update personnel information,\n       \xe2\x80\xa2   upload time and attendance data,\n       \xe2\x80\xa2   download information for checks to be printed,\n\n\n\n                                             14\n\x0c       \xe2\x80\xa2   report accounting information to Treasury,\n       \xe2\x80\xa2   reconcile enrollment information with health care providers, and\n       \xe2\x80\xa2   download general accounting information to DoD agencies.\n\nAutomatic electronic file transfer directly to and from the host mainframe computer is\npreferred for input and output file interfaces. Output files are automatically transmitted\nto sites and activities using common file transfer protocols, via communication lines of\nfiles written to magnetic tape at the host (per data in File Transfer Tables). CSRs must\nprovide File Transfer Table data to TSOPE for table updates. For files not automatically\ntransferred, it is the activity\xe2\x80\x99s responsibility to access the host computer to retrieve\n(\xe2\x80\x9cpull\xe2\x80\x9d) their output file(s) from the host. It is the responsibility of the activity creating\nan input interface file for DCPS to deliver it, by whatever means, to the payroll office or\nthe processing center supporting the payroll office. A mutually agreeable schedule\nbetween the payroll activity and the submitting activity must be established to ensure\ntimely receipt of data to support DCPS payroll processing. TSOPE is responsible for\nexecuting and monitoring the interface processing as well as resolving interfacing\nprocessing errors or problems.\n\nB. Control Environment\nDCPS Management Oversight\n\nThe DFAS M&CPS Business Line (under the cognizance of the DFAS Director) provides\nhigh-level management control and coordination within DoD and DCPS external\ncustomers. The Civilian Pay Services Product Line (within the M&CPS) has overall\ndaily responsibility for the DCPS system. The DFAS Information and Technology\nDirectorate is responsible for reviewing, approving the overall DCPS security policy and\nits certification and accreditation plan, and granting DCPS authority to operate. The\nTSOPE, a unit of DFAS, provides DCPS software engineering, production support, and\ncustomer service. The TSOPE reports to the Civilian Pay Services Product Line. DCPS\nis maintained and executed on DISA mainframe platforms at DECC MECH. DECC\nMECH is part of the Center for Computing Services within the Global Information Grid\nCombat Support Directorate, which is a Strategic Business Unit within DISA. DISA and\nDFAS are Defense Agencies that report to the Office of the Secretary of Defense. DISA\nsupport services provided to DCPS are documented in a signed service level agreement\nbetween DISA and DFAS. The service level agreement is reviewed and updated by both\nagencies on an annual basis. Both DFAS and DISA have documented policies and\nprocedures for their respective functions.\n\nPersonnel Policies and Procedures\n\nDFAS Payroll Offices and TSOPE\n\nPayroll office employees and contractors are required to review applicable administrative\norders, policies, and procedures with the Human Resource Office and must complete\nappropriate forms to gain access to DFAS systems. New employees must meet with the\nInformation Security (IS) Manager. The IS Manager is responsible for: (1) providing\nbasic systems security awareness training, (2) securing civilians\xe2\x80\x99 and contractors\xe2\x80\x99\nsignatures on an Automated Data Processing Security Awareness disclosure, (3)\nidentifying to the employee who their Terminal Area Security Officer (TASO) is and\nwhat the TASO responsibilities are, and (4) notifying appropriate personnel to provide\n\n\n                                              15\n\x0caccess or to immediately terminate employee and/or contractor access to DFAS\nautomated information system resources when an employee and/or contractor are\nprocessing-in or processing-out. The payroll offices and TSOPE facilities do not require\nany specific level of prior security clearance before a candidate can become an employee.\n\nDECC MECH\n\nThe security manager is responsible for processing and vetting new employees and\ncontractors who are given access to DISA facilities in Mechanicsburg. All contractors\nand employees are required, at a minimum, to have a secret clearance and a positive\nNational Agency Check for employees, the security manager coordinates with the\npersonnel office and for contractors, the security manager coordinates with the\ncontracting officer. The contracting officer is responsible for confirming that all\ncontractors are assigned to a valid contract, and have been approved to operate at DECC\nMECH.\n\nAll new employees are required to sign DISA Form 312, \xe2\x80\x9dClassified Information\nNondisclosure Agreement,\xe2\x80\x9d which serves as a nondisclosure agreement for sensitive and\nclassified information. When employees are terminated, DISA requires them to sign the\nsame Form 312 to confirm their understanding of the requirements put upon them. For\nnew employees and contractors to gain access to DISA systems, they are required to\ncomplete DD Form 2875, \xe2\x80\x9cSystem Authorization Access Request.\xe2\x80\x9d The security\nmanager is responsible for vetting these forms and confirming that the person requesting\naccess has the proper clearance for the level of access requested. For contractors, the\nsecurity manager confirms the length of the contract and determines when system\naccounts should expire. All new employees and contractors must complete security\nawareness training.\n\nC. Monitoring\nManagement and supervisory personnel at DFAS and DISA monitor the performance\nquality and internal control environment as a normal part of their activities. DFAS and\nDISA have implemented a number of management, financial, and operational reports that\nhelp monitor the performance of payroll processing, as well as the DCPS system itself.\nThese reports are reviewed periodically and action is taken as necessary. All procedural\nproblems and exceptions to normal and scheduled processing are logged, reported, and\nresolved in a timely manner, with remedial action taken as necessary.\n\nIn addition, several organizations within DoD perform monitoring activities associated\nwith DCPS-related internal controls. These functions include:\n\nDISA Office of the Inspector General and Field Security Office\n\nDISA has its own Office of Inspector General (OIG), which is an independent office\nwithin DISA that conducts internal audits, inspections, and investigations. The DISA-\nrelated components that support DCPS are part of the DISA OIG audit universe and are\nsubject to audits, inspections, and investigations conducted by this office.\n\nIn addition, DISA has a Field Security Operations (FSO) unit that performs periodic\nSystem Readiness Reviews of DISA systems to determine whether those systems are in\ncompliance with the DISA documented Standard Technical Implementation Guides\n\n\n\n                                           16\n\x0c(STIGs). The DCPS system components that are maintained by DISA are subject to\nthese FSO reviews. The FSO is independent of the DECC MECH management structure\nand does not maintain or configure DCPS systems.\n\nCertification and Accreditation\n\nDoD Instruction 5200.40, \xe2\x80\x9cDepartment of Defense Information Technology Security\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, establishes a\nstandard Department-wide process, set of activities, general tasks, and management\nstructure to certify and accredit information systems that will maintain the information\nassurance and security posture of the defense information infrastructure throughout the\nlife cycle of each system. The certification process is a comprehensive evaluation of the\ntechnical and non-technical security features of an information system and other\nsafeguards to establish the extent to which a particular design and implementation meets\nspecified security requirements and covers physical, personnel, administrative,\ninformation, information systems, and communications security. The accreditation\nprocess is a formal declaration by the designated approving authority that an information\nsystem is approved to operate in a particular security mode using a prescribed set of\nsafeguards at an acceptable level of risk.\n\nDCPS is subject to the requirements of DITSCAP and must meet all of the DITSCAP\ncertification and accreditation requirements throughout its life cycle. As part of the\nDCPS DITSCAP process, separate SSAAs have been prepared for the DCPS application\nitself and for the system enclave within DISA that supports the application. Each SSAA\nis a living document that represents an agreement between the designated approving\nauthority, certifying authority, user representative, and program manager. Among other\nitems, the DCPS SSAA documents DCPS\xe2\x80\x99 mission description and system identification,\nenvironment description, system architecture description, system class, system security\nrequirements, organizations and resources, and DITSCAP plan. On a periodic basis, the\nsystem security officer must verify and validate DCPS\xe2\x80\x99 compliance with the information\nin the SSAA. These verification and validation procedures include, among other steps,\nvulnerability evaluations, security testing and evaluation, penetration testing, and risk\nmanagement reviews. The DCPS application SSAA, which was issued in May 2002 and\nvalid for three years, is currently being modified as part of their DITSCAP recertification\nand reaccredidation process that is expected to be completed in July 2005. The DECC\nMECH enclave SSAA, which was issued in October 2003 is valid for three years and is\nthe same SSAA that was in place for the DCPS audit report issued in October 2004.\n\nDoD Office of Inspector General (DoD OIG)\n\nThe DoD OIG was established under the Inspector General Act of 1978 by Congress to\nconduct and supervise audits and investigations related to the programs and operations of\nthe DoD. The DoD OIG reports directly to the Secretary of Defense and is independent\nof DFAS and DISA. DCPS, as well as the payroll processes it supports, is part of the\nDoD OIG audit universe and is subject to financial, operational, and information\ntechnology audits, reviews, and special assessment projects.\n\nD. Risk Assessment\nThe DITSCAP process, discussed in subsection C above, includes several activities that\ndocument and assess risks associated with DCPS. The DCPS application and enclave\nSSAAs, which are a product of the DITSCAP process, also document threats to DCPS\n\n\n                                            17\n\x0cand its supporting technical environment. The SSAAs also contain Residual Risk\nAssessments that document vulnerabilities noted during DCPS tests and analyses. The\ninformation contained in the SSAAs is updated on a periodic basis. Personnel from\nDFAS TSOPE and DECC MECH participate in these risk assessment activities.\n\nE. Information and Communication\nDCPS is the information system used to process civilian payroll for DoD and its payroll\ncustomers, such as EOP, DOE and HHS. The processing of payroll involves over 140\ndata files that interface with DCPS. These interfaces are linked to other DoD financial\nsystems as well as external systems. The majority of the interfaces are automated. All\nautomated interfaces must conform to documented interface specifications developed by\nthe TSOPE, who is responsible for executing and monitoring the automated interfaces.\n\nThe support relationship between DFAS and DECC MECH is documented through a\nservice level agreement that is reviewed and updated annually. The service level\nagreement outlines various DFAS and DECC MECH points of contact and liaisons that\nshould be used when DCPS issues arise. DECC MECH also assigned a customer\nrelationship manager to work with DFAS TSOPE to resolve any DCPS processing\nproblems or concerns.\n\nWithin DFAS, the TSOPE and payroll offices have a weekly meeting between the\ndirectors and managers of both organizations to discuss DCPS processing issues. There\nis also a Configuration Control Board (CCB), comprised of TSOPE and payroll office\npersonnel, to review and approve functional and systemic changes to DCPS. The payroll\noffices also have a help desk function to identify and track user issues and problems with\nDCPS and communicate those issues and problems to the TSOPE for resolution.\n\nF. Control Activities\nThe DCPS control objectives and related control activities are included in Section III of\nthis report, \xe2\x80\x9cInformation Provided by the Service Auditor,\xe2\x80\x9d to eliminate the redundancy\nthat would result from listing them in this section and repeating them in Section III.\nAlthough the control objectives and related controls are included in Section III, they are,\nnevertheless, an integral part of the description of controls.\n\nG. User Organization Control Considerations\nThe control activities at DFAS and DISA related to DCPS were designed with the\nassumption that certain controls would be placed in operation at user organizations. This\nsection describes some of the controls that should be in operation at user organizations to\ncomplement the controls at DFAS and DISA.\n\nUser organizations should have policies and procedures in place to ensure that:\n\n       \xe2\x80\xa2   The Information Systems Security Officer (ISSO) located at the payroll\n           offices is notified of all terminated employees that are DCPS users.\n\n\n\n\n                                            18\n\x0c\xe2\x80\xa2   The local Human Resource Office is notified of all terminated employees, so\n    that such employees are removed from the Master Employee Record in a\n    timely manner.\n\n\xe2\x80\xa2   All time entered by timekeepers is approved and authorized by appropriate\n    user organization management.\n\n\xe2\x80\xa2   All Master Employee Records created represent valid employees.\n\n\xe2\x80\xa2   All changes to the Master Employee Record are approved by appropriate user\n    organization personnel prior to payroll processing.\n\n\xe2\x80\xa2   Segregation of duties exists between those at the user organization who enter\n    time and those who enter or change Master Employee Records.\n\n\xe2\x80\xa2   If a pseudo Social Security Number (SSN) is created, the pseudo SSN has\n    been authorized by appropriate user organization personnel and, if necessary,\n    is accurately tied to a primary and valid SSN.\n\n\xe2\x80\xa2   User organization managers review the \xe2\x80\x9cControl of Hours\xe2\x80\x9d and other payroll-\n    related reports for appropriateness and accuracy.\n\n\xe2\x80\xa2   All invalid time entry interface feeds are reviewed and processed by\n    appropriate user organization personnel in a controlled manner.\n\n\xe2\x80\xa2   All invalid personnel record interface feeds are resolved in the interface\n    system by user organization personnel with appropriate approval by user\n    organization management.\n\n\n\n\n                                     19\n\x0c\x0cSection III: Control Objectives, Control Activities, and Tests\n                 of Operating Effectiveness\n\n\n\n\n                              21\n\x0c\x0cIII. Control Objectives, Control Activities, and Tests of\n     Operating Effectiveness\n\nA. Scope Limitations\nThe control objectives documented in this section were specified by the DoD OIG. As\ndescribed in the prior section (Section II), DCPS interfaces with many systems. The\ncontrols described and tested within this section of the report are limited to those\ncomputer systems, operations, and processes directly related to DCPS itself. The controls\nrelated to the source and destination systems associated with the DCPS interfaces are\nspecifically excluded from this review. We did not perform procedures to evaluate the\neffectiveness of the input, processing, and output controls within these interface systems.\nHowever, we did perform procedures to evaluate DCPS interface input and output\ncontrols. In addition, we did not perform any procedures to evaluate the integrity and\naccuracy of the data contained in DCPS.\n\n\n\n\n                                            23\n\x0cB. Control Objectives, Control Activities, and Tests of Operating Effectiveness\n\nApplication Control Objectives, Activities, Test Procedures and Results of Testing\n\nNo.       Control Objective               Control Activities                       Tests Performed                           Results of Testing\n      1   Controls provide reasonable     Policies and procedures are              Read policies and procedures and          No relevant exceptions noted.\n          assurance that only valid and   documented to describe that only valid   inquired with appropriate personnel to\n          accurate changes are made to    and accurate changes are made to the     confirm that policies and procedures\n          the payroll master files and    payroll master files and payroll         related to the processing of valid\n          payroll withholding tables.     withholding tables.                      changes to the payroll master files and\n                                                                                   payroll existed and were documented.\n                                          Payroll master file and withholding      Inspected Online Queries (OLQs) and       DFAS Charleston\n                                          data tables are periodically reviewed    Master Employee Add/Change/Delete         The OLQs and Master Employee\n                                          by supervisory personnel for accuracy    reports and inquired with appropriate     Add/Change/Delete reports were\n                                          and ongoing pertinence.                  personnel to confirm that master files    not signed off on to indicate they\n                                                                                   and withholding tables were               have been reviewed. However, as a\n                                                                                   periodically reviewed by supervisory      mitigating circumstance, we\n                                                                                   personnel for accuracy and ongoing        observed that the Payroll Office\n                                                                                   pertinence.                               staff reviewed the summary reports;\n                                                                                                                             and the reports were archived\n                                                                                                                             indicating that they had been run.\n                                          Programmed validation and edit           Observed programmed validation and        No relevant exceptions noted.\n                                          checks identify erroneous data.          edit checks and inquired with\n                                                                                   appropriate personnel and to confirm\n                                                                                   they existed.\n                                          Changes to the payroll withholding       Observed the process of tax changes       No relevant exceptions noted.\n                                          tables and master files are compared     to the payroll withholding tables and\n                                          to authorized source documents by        master files being compared to\n                                          supervisory personnel to ensure that     authorized source documents by\n                                          they were input accurately.              supervisory personnel and inquired\n                                                                                   with appropriate personnel and to\n                                                                                   confirm that they were tested and\n                                                                                   approved.\n\n                                                                                   Observed the imaging process to\n                                                                                   confirm that inputs were compared to\n                                                                                   authorized imaging documents and\n                                                                                   inquired with appropriate personnel to\n\n\n\n                                                                         24\n\x0cNo.       Control Objective               Control Activities                       Tests Performed                           Results of Testing\n                                                                                   confirm that they were input\n                                                                                   accurately.\n      2   Controls provide reasonable     Policies and procedures are              Read policies and procedures and          No relevant exceptions noted.\n          assurance that changes to the   documented to describe that changes      inquired with appropriate personnel to\n          payroll master files and        to the payroll master files and          confirm that policies and procedures\n          withholding tables are          withholding tables are authorized,       related to the processing of changes to\n          authorized, input, and          input, and processed timely.             payroll master files and withholding\n          processed timely.                                                        tables existed and were documented.\n                                          Changes to the payroll master file and   Inquired with appropriate personnel       DFAS Charleston\n                                          withholding table data are logged in     and inspected the Master Employee         The Master Employee\n                                          numerous reports including the Master    Add/Change/Delete report to confirm       Add/Change/Delete reports, as well\n                                          Employee Add/Change/Delete Report        that changes to the payroll master file   as other summary reports, were not\n                                          and reviewed by supervisory              and table data were logged and            signed off to indicate they were\n                                          personnel to ensure that all requested   reviewed by supervisory personnel.        reviewed. However, as a mitigating\n                                          changes are processed timely.                                                      circumstance, we observed that the\n                                                                                                                             Payroll Office staff reviewed the\n                                                                                                                             summary reports and the reports\n                                                                                                                             were archived indicating that they\n                                                                                                                             had been run.\n                                          Requests to change the payroll master    Inspected a random sample of              DFAS-Denver\n                                          file data and withholding table are      45 Remedy Tickets and inquired with       One of 45 Remedy Tickets tested\n                                          submitted on pre-numbered Remedy         appropriate personnel to confirm the      was not completed within the\n                                          Tickets; the numerical sequence of the   requests:                                 required timeframe.\n                                          Remedy Tickets is accounted for to\n                                          ensure that the requested changes are    \xe2\x80\xa2 Were pre-numbered;                      DFAS-Pensacola\n                                          processed timely. Access to source                                                 Four of 45 Remedy Tickets tested\n                                          documents is controlled; Key source      \xe2\x80\xa2 That the sequence was accounted         were not completed within the\n                                          documents require signatures from          for so that the forms were              required timeframe.\n                                          supervisory personnel.                     accounted for timely;\n                                                                                                                             DFAS-Charleston\n                                                                                   \xe2\x80\xa2 That access to the source               Two of 45 Remedy Tickets tested\n                                                                                     documents was restricted, and           were not completed within the\n                                                                                                                             required time frame.\n                                                                                    \xe2\x80\xa2 That key source documents\n                                                                                      required signatures from\n                                                                                      supervisory personnel.\n                                          Payroll master file data and             Inspected a haphazard sample of           DFAS-Denver\n                                          withholding table data are edited and    45 Personnel Interface Invalid Reports    Due to technical difficulties with\n                                          validated and errors identified on the   of erroneous transactions and inquired    the document management system\n\n\n                                                                          25\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                         Results of Testing\n                          Personnel Interface Invalid Report are   with appropriate personnel to confirm   used to store the Personnel Interface\n                          corrected promptly.                      items were investigated and resolved    Invalid Reports, the Personnel\n                                                                   timely.                                 Interface Invalid Reports could not\n                                                                                                           be provided prior to March 27,\n                                                                                                           2005, which represented 18 of the\n                                                                                                           45 reports selected for testing.\n                                                                                                           Additionally, one of the remaining\n                                                                                                           27 reports from March 28, 2005\n                                                                                                           through June 30, 2005 could not be\n                                                                                                           located, which left the sample of 26\n                                                                                                           to be reviewed. Annotations on 23\n                                                                                                           of the 26 Personnel Interface\n                                                                                                           Invalid Reports from March 28,\n                                                                                                           2005 through June 30, 2005 did not\n                                                                                                           include the corrective actions taken;\n                                                                                                           18 out of the 26 Personnel Interface\n                                                                                                           Invalid Reports provided were not\n                                                                                                           dated as completed, and 12 of the\n                                                                                                           26 Personnel Interface Invalid\n                                                                                                           Reports were not initialed as\n                                                                                                           completed.\n\n                                                                                                           DFAS-Charleston\n                                                                                                           Due to the inability of the system to\n                                                                                                           allow annotation of the Personnel\n                                                                                                           Interface Invalid Reports and\n                                                                                                           payroll office personnel performed\n                                                                                                           an undocumented random review of\n                                                                                                           the reports instead of a documented\n                                                                                                           review all reports, the audit team\n                                                                                                           could not determine that the\n                                                                                                           Personnel Interface Invalid Reports\n                                                                                                           are properly corrected, annotated,\n                                                                                                           and reviewed by supervisors.\n                                                                                                           Therefore, testing of the reports at\n                                                                                                           DFAS Charleston payroll office\n                                                                                                           was not performed.\n\n\n\n\n                                                         26\n\x0cNo.       Control Objective                Control Activities                       Tests Performed                          Results of Testing\n                                                                                                                             DFAS-Pensacola\n                                                                                                                             Ten of the 44 Personnel Interface\n                                                                                                                             Invalid Reports were not available\n                                                                                                                             for review. The remaining\n                                                                                                                             34 reports that were reviewed did\n                                                                                                                             not always have the final resolution\n                                                                                                                             of errors annotated in the report.\n                                                                                                                             The Personnel Interface Invalid\n                                                                                                                             Reports were not reviewed by a\n                                                                                                                             supervisor to ensure all exceptions\n                                                                                                                             noted on the report had been\n                                                                                                                             corrected by the payroll technician.\n                                           The ability to view, modify, or          Inspected a random sample of             Payroll Office Users\n                                           transfer information contained in the    45 access forms to confirm the user on   Seven of 45 payroll office users\xe2\x80\x99\n                                           payroll master files is restricted to    the form was properly authorized and     SAAR forms selected for testing\n                                           authorized personnel.                    that the access granted on the form      contained an authorization for\n                                                                                    matched the access granted within        access on the SAAR form, which\n                                                                                    DCPS.                                    did not match access granted within\n                                                                                                                             DCPS. In addition, one of 45\n                                                                                                                             payroll office user\xe2\x80\x99s SAAR forms\n                                                                                                                             selected for testing did not contain a\n                                                                                                                             supervisor\xe2\x80\x99s signature.\n\n                                                                                                                             Non-Payroll Office Users\n                                                                                                                             Four of 45 non-payroll office users\xe2\x80\x99\n                                                                                                                             SAAR forms selected for testing\n                                                                                                                             contained an authorization for\n                                                                                                                             access on the SAAR form, which\n                                                                                                                             did not match access granted within\n                                                                                                                             DCPS. In addition, four of the 45\n                                                                                                                             non-payroll office users\xe2\x80\x99 SAAR\n                                                                                                                             forms could not be located.\n      3   Controls provide reasonable      Policies and procedures are              Read policies and procedures and         No relevant exceptions noted.\n          assurance that payroll           documented to describe that payroll      inquired with appropriate personnel to\n          processing is accurate and       processing is accurate and recorded in   confirm that policies and procedures\n          recorded in the proper period.   the proper period.                       related to the accurate processing and\n                                                                                    recording of payroll existed and were\n                                                                                    documented.\n\n\n\n\n                                                                           27\n\x0cNo.   Control Objective   Control Activities                        Tests Performed                           Results of Testing\n                          Compliance with the payroll               Observed payroll disbursement             No relevant exceptions noted.\n                          disbursement processing schedule is       processes and inquired with\n                          monitored by management.                  appropriate personnel and inspected\n                                                                    pay processing schedules to confirm\n                                                                    that management was monitoring the\n                                                                    payroll disbursement processing\n                                                                    schedule.\n                          The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inspected a sample of 20 (to include      No relevant exceptions noted.\n                          reconciliation shows all pertinent data   all pay periods during the 9 month\n                          describing the payroll (including total   audit period) \xe2\x80\x9c592\xe2\x80\x9d reconciliations for\n                          disbursements, Retirement, Thrift         each database and inquired with\n                          Savings Plan (TSP), Bonds, and other      appropriate personnel to confirm:\n                          withholdings) and the related balances\n                          are reconciled, in the appropriate        \xe2\x80\xa2 The detailed payroll reconciliation\n                          accounting period, to corresponding         showed pertinent data describing\n                          general ledger accounts within DCPS.        the payroll (including total\n                          All reconciling items are investigated      disbursements, Retirement, TSP,\n                          and cleared on a timely basis by            Bonds, and other withholdings)\n                          supervisory personnel, prior to             and the related balances were\n                          disbursement.                               reconciled, in the appropriate\n                                                                      accounting period, to\n                                                                      corresponding general ledger\n                                                                      accounts within DCPS;\n\n                                                                    \xe2\x80\xa2 Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation was\n                                                                      approved by management prior to\n                                                                      disbursement and;\n\n                                                                    \xe2\x80\xa2 Reconciling items were\n                                                                      investigated and cleared on a\n                                                                      timely basis by supervisory\n                                                                      personnel, prior to disbursement.\n\n                          Summary payroll reports including         Inspected summary reports and OLQs,       DFAS Charleston\n                          OLQs of total disbursements,              observed payroll office staff summary     The summary reports, including the\n                          Retirement, TSP, Bonds, and other         report and OLQ review procedures,         OLQs, were not signed off on to\n                          withholdings are reviewed and             and inquired with appropriate             indicate they were reviewed.\n                          approved by management prior to           personnel to confirm they were            However, as a mitigating\n                          disbursement.                             reviewed and approved by                  circumstance, we observed that the\n\n\n                                                          28\n\x0cNo.       Control Objective             Control Activities                        Tests Performed                           Results of Testing\n                                                                                  management prior to disbursement.         Payroll Office staff reviewed the\n                                                                                                                            summary reports; and the reports\n                                                                                                                            were archived indicating that they\n                                                                                                                            had been run.\n      4   Controls provide reasonable   Policies and procedures are               Read policies and procedures and          No relevant exceptions noted.\n          assurance that disbursed      documented to describe that               inquired with appropriate personnel to\n          payroll (including            management ensures disbursed payroll      confirm that policies and procedures\n          compensation and              (including compensation and               related to the disbursement of payroll\n          withholding) is accurately    withholding) is accurately calculated     existed and were documented.\n          calculated and recorded.      and recorded.\n                                        The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inspected a sample of 20 (to include      No relevant exceptions noted.\n                                        reconciliation shows all pertinent data   all pay periods during the 9 month\n                                        describing the payroll (including total   audit period) \xe2\x80\x9c592\xe2\x80\x9d reconciliations for\n                                        disbursements, Retirement, TSP,           each database and inquired with\n                                        Bonds, and other withholdings) and        appropriate personnel to confirm:\n                                        the related balances are reconciled, in\n                                        the appropriate accounting period, to     \xe2\x80\xa2 The detailed payroll reconciliation\n                                        corresponding general ledger accounts       showed pertinent data describing\n                                        within DCPS. All reconciling items          the payroll (including total\n                                        are investigated and cleared on a           disbursements, Retirement, TSP,\n                                        timely basis by supervisory personnel,      Bonds, and other withholdings)\n                                        prior to disbursement.                      and the related balances were\n                                                                                    reconciled, in the appropriate\n                                                                                    accounting period, to\n                                                                                    corresponding general ledger\n                                                                                    accounts within DCPS;\n\n                                                                                  \xe2\x80\xa2 Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation was\n                                                                                    approved by management prior to\n                                                                                    disbursement and;\n\n                                                                                   \xe2\x80\xa2 Reconciling items were\n                                                                                     investigated and cleared on a\n                                                                                     timely basis by supervisory\n                                                                                     personnel, prior to disbursement.\n                                        Summary payroll reports including         Inspected summary reports and OLQs,       DFAS Charleston\n                                        OLQs of total disbursements,              observed payroll office staff summary     The summary reports, including the\n                                        Retirement, TSP, Bonds, and other         report and OLQ review procedures,         OLQs, were not signed off to\n                                        withholdings) are reviewed and            and inquired with appropriate             indicate they were reviewed.\n\n\n                                                                        29\n\x0cNo.       Control Objective                  Control Activities                         Tests Performed                          Results of Testing\n                                             approved by management prior to            personnel to confirm they were           However, as a mitigating\n                                             disbursement.                              reviewed and approved by                 circumstance, we observed that the\n                                                                                        management prior to disbursement.        Payroll Office staff reviewed the\n                                                                                                                                 summary reports; and the reports\n                                                                                                                                 were archived indicating that they\n                                                                                                                                 had been run.\n                                             DCPS performs limit and                    Inspected a report showing earnings      No relevant exceptions noted.\n                                             reasonableness checks on employee          limit and reasonableness errors and\n                                             earnings.                                  inquired with appropriate personnel to\n                                                                                        confirm whether reasonableness\n                                                                                        checks were performed on employee\n                                                                                        earnings.\n                                             Programmed validation and edit             Observed the entering of new             No relevant exceptions noted.\n                                             checks identify erroneous data.            employee information into DCPS to\n                                                                                        confirm that programmed validation\n                                                                                        and edit checks were executed.\n      5   Controls provide reasonable        Policies and procedures are                Read policies and procedures and         No relevant exceptions noted.\n          assurance that only valid,         documented to describe that                inquired with appropriate personnel to\n          authorized employees are paid      management ensures only valid,             confirm that policies and procedures\n          and that payroll is disbursed to   authorized employees are paid and          related to disbursement of payroll to\n          appropriate employees.             that payroll is disbursed to appropriate   valid and authorized employees\n                                             employees.                                 existed and were documented.\n\n                                             OLQs and summary reports such as           Inspected OLQs and Master                DFAS Charleston\n                                             the Master Employee                        Employee Add/Change/Delete               The OLQs and Master Employee\n                                             Add/Change/Delete Report are               reports, observed payroll office staff   Add/Change/Delete reports were\n                                             periodically reviewed by supervisory       summary report and OLQ review            not signed off to indicate they were\n                                             personnel to determine if the master       procedures, and inquired with            reviewed. However, as a mitigating\n                                             files remain accurate and pertinent.       appropriate personnel to confirm that    circumstance, we observed that the\n                                                                                        master files and withholding tables      Payroll Office staff reviewed the\n                                                                                        were periodically reviewed by            summary reports; and the reports\n                                                                                        supervisory personnel.                   were archived indicating that they\n                                                                                                                                 had been run.\n                                             Departmental managers periodically         Inspected the Personnel/Payroll          No relevant exceptions noted.\n                                             review listings, such as the               Reconciliation and Control of Hours\n                                             Personnel/Payroll Reconciliation and       Reports and inquired with appropriate\n                                             Control of Hours Report, of current        personnel to confirm they were sent to\n                                             employees within their departments         management for review of employee\n                                             and notify the personnel department of     listings and notification to personnel\n\n\n\n                                                                              30\n\x0cNo.   Control Objective   Control Activities                        Tests Performed                           Results of Testing\n                          necessary changes. All payroll            department of changes.\n                          queries are followed up by persons\n                          independent of the payroll preparation\n                          and disbursement process.\n                          The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inspected a sample of 20 (to include      No relevant exceptions noted.\n                          reconciliation shows all pertinent data   all pay periods during the 9 month\n                          describing the payroll (including total   audit period) \xe2\x80\x9c592\xe2\x80\x9d reconciliations for\n                          disbursements, Retirement, TSP,           each database and inquired with\n                          Bonds, and other withholdings) and        appropriate personnel and to confirm:\n                          the related balances are reconciled, in\n                          the appropriate accounting period, to     \xe2\x80\xa2 The detailed payroll reconciliation\n                          corresponding general ledger accounts       showed pertinent data describing\n                          within DCPS. All reconciling items          the payroll (including total\n                          are investigated and cleared on a           disbursements, Retirement, TSP,\n                          timely basis by supervisory personnel,      Bonds, and other withholdings)\n                          prior to disbursement.                      and the related balances were\n                                                                      reconciled, in the appropriate\n                                                                      accounting period, to\n                                                                      corresponding general ledger\n                                                                      accounts within DCPS;\n\n                                                                    \xe2\x80\xa2 Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation was\n                                                                      approved by management prior to\n                                                                      disbursement and;\n\n                                                                     \xe2\x80\xa2 Reconciling items were\n                                                                       investigated and cleared on a\n                                                                       timely basis by supervisory\n                                                                       personnel, prior to disbursement.\n                          Summary payroll reports including         Inspected summary reports and OLQs        DFAS Charleston\n                          OLQs of total disbursements,              and inquired with appropriate             The OLQs and Master Employee\n                          Retirement, TSP, Bonds, and other         personnel to confirm they were            Add/Change/Delete reports were\n                          withholdings) are reviewed and            reviewed and approved by                  not signed off to indicate they were\n                          approved by management prior to           management prior to disbursement.         reviewed. However, as a mitigating\n                          disbursement.                                                                       circumstance, we observed that the\n                                                                                                              Payroll Office staff reviewed the\n                                                                                                              summary reports; and the reports\n                                                                                                              were archived indicating that they\n                                                                                                              had been run.\n\n\n                                                          31\n\x0cNo.       Control Objective                Control Activities                      Tests Performed                           Results of Testing\n                                           Only authorized personnel have the      Observed the disbursement of payroll,     No relevant exceptions noted.\n                                           ability to disburse payroll.            inspected a random sample of 45\n                                                                                   DCPS users, and inquired with the\n                                                                                   appropriate personnel to confirm that\n                                                                                   only authorized personnel had the\n                                                                                   ability to disburse payroll.\n      6   Controls provide reasonable      Policies and procedures are             Read policies and procedures and          No relevant exceptions noted.\n          assurance of the integrity and   documented to describe that             inquired with appropriate personnel to\n          reliability of DCPS data for     management ensures controls provide     confirm that policies and procedures\n          financial reporting purposes.    reasonable assurance of the integrity   related to the controls over the\n                                           and reliability of DCPS data for        integrity and reliability of DCPS data\n                                           financial reporting purposes.           existed and were documented.\n                                           Payroll transactions at the end of a    Inspected a sample of 20 (to include      No relevant exceptions noted.\n                                           payroll cycle are reconciled by         all pay periods during the 9 month\n                                           supervisory personnel to ensure         audit period) \xe2\x80\x9c592\xe2\x80\x9d payroll\n                                           complete and consistent recording in    reconciliations at the end of a payroll\n                                           the appropriate accounting period.      cycle and inquired with appropriate\n                                                                                   personnel to confirm they were\n                                                                                   reconciled.\n                                           Error reports, such as the Personnel    Inspected error warnings and a            DFAS-Denver\n                                           Interface Invalid Report, and error     haphazard sample of 45 Personnel          Due to technical difficulties with\n                                           warnings show rejected transactions     Interface Invalid Reports and inquired    the document management system\n                                           with error messages that have clearly   with appropriate personnel to confirm     used to store the Personnel Interface\n                                           understandable corrective actions for   they showed rejected transactions         Invalid Reports, the Personnel\n                                           each type of error.                     with error messages that had clearly      Interface Invalid Reports could not\n                                                                                   understandable corrective actions for     be provided prior to March 27,\n                                                                                   each type of error.                       2005, which represented 18 of the\n                                                                                                                             45 reports selected for testing.\n                                                                                                                             Additionally, one of the remaining\n                                                                                                                             27 reports from March 28, 2005\n                                                                                                                             through June 30, 2005 could not be\n                                                                                                                             located, which left the sample of 26\n                                                                                                                             to be reviewed. Annotations on 23\n                                                                                                                             of the 26 Personnel Interface\n                                                                                                                             Invalid Reports from March 28,\n                                                                                                                             2005 through June 30, 2005 did not\n                                                                                                                             include the corrective actions taken;\n                                                                                                                             18 out of the 26 Personnel Interface\n                                                                                                                             Invalid Reports provided were not\n\n\n\n                                                                          32\n\x0cNo.   Control Objective   Control Activities                        Tests Performed                          Results of Testing\n                                                                                                             dated as completed, and 12 of the\n                                                                                                             26 Personnel Interface Invalid\n                                                                                                             Reports were not initialed as\n                                                                                                             completed.\n\n                                                                                                             DFAS-Charleston\n                                                                                                             Due to the inability of the system to\n                                                                                                             allow annotation of the Personnel\n                                                                                                             Interface Invalid Reports and\n                                                                                                             payroll office personnel performed\n                                                                                                             an undocumented random review of\n                                                                                                             the reports instead of a documented\n                                                                                                             review all reports, the audit team\n                                                                                                             could not determine that the\n                                                                                                             Personnel Interface Invalid Reports\n                                                                                                             are properly corrected, annotated,\n                                                                                                             and reviewed by supervisors.\n                                                                                                             Therefore, testing of the reports at\n                                                                                                             DFAS Charleston payroll office\n                                                                                                             was not performed.\n\n                                                                                                             DFAS-Pensacola\n                                                                                                             Ten of the 44 Personnel Interface\n                                                                                                             Invalid Reports were not available\n                                                                                                             for review. The remaining 34\n                                                                                                             reports that were reviewed did not\n                                                                                                             always have the final resolution of\n                                                                                                             errors annotated in the report. The\n                                                                                                             Personnel Interface Invalid Reports\n                                                                                                             were not reviewed by a supervisor\n                                                                                                             to ensure all exceptions noted on\n                                                                                                             the report had been corrected by the\n                                                                                                             payroll technician.\n                          Rejected data are automatically           Inspected the Personnel Interface        No relevant exceptions noted.\n                          written to the Personnel Interface        Invalid Report of rejected data and\n                          Invalid Report and held until corrected   inquired with the appropriate\n                          by payroll technicians, and each          personnel to confirm that the rejected\n                          erroneous transaction is annotated        data were automatically written on an\n                          with codes indicating the type of data    automated error suspense file and held\n\n\n\n                                                          33\n\x0cNo.       Control Objective                 Control Activities                        Tests Performed                           Results of Testing\n                                            error, date and time the transaction      until corrected by payroll technicians.\n                                            was processed and the error identified,   In addition, verified whether each\n                                            and the identity of the user who          erroneous transaction was annotated\n                                            originated the transaction.               with codes indicating the type of data\n                                                                                      error, date and time the transaction\n                                                                                      was processed, the error identified,\n                                                                                      and the identify of the user who\n                                                                                      originated the transaction.\n      7   Controls provide reasonable       Policies and procedures are               Read policies and procedures and          No relevant exceptions noted.\n          assurance that fiscal year-end,   documented to describe that               inquired with appropriate personnel to\n          leave-year-end and calendar       management ensures fiscal year-end,       confirm that policies and procedures\n          year-end processing occurs in     leave-year-end and calendar year-end      related to fiscal year-end, leave-year-\n          accordance with established       processing occurs in accordance with      end, and calendar year-end processing\n          Government-wide and agency        established Government-wide and           existed and were documented.\n          guidelines.                       agency guidelines.\n                                            Payroll withholding table data is         Inspected payroll withholding table       No relevant exceptions noted.\n                                            periodically reviewed by supervisory      data updates to confirm they were\n                                            personnel for compliance with             periodically updated by supervisory\n                                            statutory requirements.                   personnel for compliance with\n                                                                                      statutory requirements.\n                                            The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inquired with appropriate personnel       No relevant exceptions noted.\n                                            reconciliation shows all pertinent data   and inspected a sample of 20 (to\n                                            describing the payroll (including total   include all pay periods during the\n                                            disbursements, Retirement, TSP,           9 month audit period) \xe2\x80\x9c592\xe2\x80\x9d\n                                            Bonds, and other withholdings) and        reconciliations for each database to\n                                            the related balances are reconciled, in   confirm:\n                                            the appropriate accounting period, to\n                                            corresponding general ledger accounts     \xe2\x80\xa2 The detailed payroll reconciliation\n                                            within DCPS. All reconciling items          showed pertinent data describing\n                                            are investigated and cleared on a           the payroll (including total\n                                            timely basis by supervisory personnel,      disbursements, Retirement, TSP,\n                                            prior to disbursement.                      Bonds, and other withholdings)\n                                                                                        and the related balances were\n                                                                                        reconciled, in the appropriate\n                                                                                        accounting period, to\n                                                                                        corresponding general ledger\n                                                                                        accounts within DCPS;\n\n                                                                                      \xe2\x80\xa2 Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation was\n\n\n                                                                            34\n\x0cNo.   Control Objective   Control Activities                      Tests Performed                         Results of Testing\n                                                                    approved by management prior to\n                                                                    disbursement and;\n\n                                                                   \xe2\x80\xa2 Reconciling items were\n                                                                     investigated and cleared on a\n                                                                     timely basis by supervisory\n                                                                     personnel, prior to disbursement.\n                          The data processing control group has   Inspected the schedules used by the     No relevant exceptions noted.\n                          a schedule by application that shows    data processing group and inquired\n                          when outputs should be completed,       with appropriate personnel to confirm\n                          when they need to be distributed, who   they:\n                          the recipients are, and the copies\n                          needed; reviews output products for     \xe2\x80\xa2 Had a schedule by application that\n                          general acceptability; and reconciles     showed when outputs needed to be\n                          control information to determine          completed, when they needed to be\n                          completeness of processing.               distributed, who the recipients\n                                                                    were, and the copies needed;\n\n                                                                  \xe2\x80\xa2 Reviewed output products for\n                                                                    general acceptability, and\n\n                                                                   \xe2\x80\xa2 Reconciled control information to\n                                                                     determine completeness of\n                                                                     processing.\n                          Users review the Personnel Interface    Inspected a haphazard sample of 45      DFAS-Denver\n                          Invalid Reports for data accuracy,      Personnel Interface Invalid Reports     Due to technical difficulties with\n                          validity, and completeness.             and inquired with appropriate           the document management system\n                                                                  personnel to confirm the reports were   used to store the Personnel Interface\n                                                                  reviewed for data accuracy, validity,   Invalid Reports, the Personnel\n                                                                  and completeness.                       Interface Invalid Reports could not\n                                                                                                          be provided prior to March 27,\n                                                                                                          2005, which represented 18 of the\n                                                                                                          45 reports selected for testing.\n                                                                                                          Additionally, one of the remaining\n                                                                                                          27 reports from March 28, 2005\n                                                                                                          through June 30, 2005 could not be\n                                                                                                          located, which left the sample of 26\n                                                                                                          to be reviewed. Annotations on 23\n                                                                                                          of the 26 Personnel Interface\n\n\n                                                         35\n\x0cNo.   Control Objective   Control Activities        Tests Performed   Results of Testing\n                                                                      Invalid Reports from March 28,\n                                                                      2005 through June 30, 2005 did not\n                                                                      include the corrective actions taken;\n                                                                      18 out of the 26 Personnel Interface\n                                                                      Invalid Reports provided were not\n                                                                      dated as completed, and 12 of the\n                                                                      26 Personnel Interface Invalid\n                                                                      Reports were not initialed as\n                                                                      completed.\n\n                                                                      DFAS-Charleston\n                                                                      Due to the inability of the system to\n                                                                      allow annotation of the Personnel\n                                                                      Interface Invalid Reports and\n                                                                      payroll office personnel performed\n                                                                      an undocumented random review of\n                                                                      the reports instead of a documented\n                                                                      review all reports, the audit team\n                                                                      could not determine that the\n                                                                      Personnel Interface Invalid Reports\n                                                                      are properly corrected, annotated,\n                                                                      and reviewed by supervisors.\n                                                                      Therefore, testing of the reports at\n                                                                      DFAS Charleston payroll office\n                                                                      was not performed.\n\n                                                                      DFAS-Pensacola\n                                                                      Ten of the 44 Personnel Interface\n                                                                      Invalid Reports were not available\n                                                                      for review. The remaining\n                                                                      34 reports that were reviewed did\n                                                                      not always have the final resolution\n                                                                      of errors annotated in the report.\n                                                                      The Personnel Interface Invalid\n                                                                      Reports were not reviewed by a\n                                                                      supervisor to ensure all exceptions\n                                                                      noted on the report had been\n                                                                      corrected by the payroll technician.\n\n\n\n\n                                               36\n\x0cNo.       Control Objective              Control Activities                        Tests Performed                           Results of Testing\n      8   Controls provide reasonable    Policies and procedures are               Read policies and procedures and          No relevant exceptions noted.\n          assurance that current- or     documented to describe that               inquired with appropriate personnel to\n          prior-period adjustments to    management ensures current- or prior-     confirm that policies and procedures\n          employee's pay, including      period adjustments to employee's pay,     related to the processing of current or\n          employee debt, tax deduction   including employee debt, tax              prior-period adjustments to\n          or deductions not taken, are   deduction or deductions not taken, are    employee's pay, including employee\n          reported, reconciled and       reported, reconciled and approved.        debt, tax deduction or deductions not\n          approved.                                                                taken, existed and were documented.\n                                         The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inspected a sample of 20 (to include      No relevant exceptions noted.\n                                         reconciliation shows all pertinent data   all pay periods during the 9 month\n                                         describing the payroll (including total   audit period) \xe2\x80\x9c592\xe2\x80\x9d reconciliations for\n                                         disbursements, Retirement, TSP,           each database and inquired with\n                                         Bonds, and other withholdings) and        appropriate personnel to confirm:\n                                         the related balances are reconciled, in\n                                         the appropriate accounting period, to     \xe2\x80\xa2 The detailed payroll reconciliation\n                                         corresponding general ledger accounts       showed pertinent data describing\n                                         within DCPS. All reconciling items          the payroll (including total\n                                         are investigated and cleared on a           disbursements, Retirement, TSP,\n                                         timely basis by supervisory personnel,      Bonds, and other withholdings)\n                                         prior to disbursement.                      and the related balances were\n                                                                                     reconciled, in the appropriate\n                                                                                     accounting period, to\n                                                                                     corresponding general ledger\n                                                                                     accounts within DCPS;\n\n                                                                                   \xe2\x80\xa2 Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation was\n                                                                                     approved by management prior to\n                                                                                     disbursement and;\n\n                                                                                    \xe2\x80\xa2 Reconciling items were\n                                                                                      investigated and cleared on a\n                                                                                      timely basis by supervisory\n                                                                                      personnel, prior to disbursement.\n                                         OLQs and summary reports such as          Inspected OLQs and Master                 DFAS Charleston\n                                         the Master Employee                       Employee Add/Change/Delete                The OLQs and Master Employee\n                                         Add/Change/Delete Report are              reports, observed payroll office staff    Add/Change/Delete reports were\n                                         periodically reviewed by supervisory      summary report and OLQ review             not signed off to indicate they were\n                                         personnel to determine if the master      procedures, and inquired with             reviewed. However, as a mitigating\n                                         files remain accurate and pertinent.      appropriate personnel to confirm that     circumstance, we observed that the\n\n\n                                                                         37\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                           Results of Testing\n                                                                   master files were periodically            Payroll Office staff reviewed the\n                                                                   reviewed by supervisory personnel.        summary reports; and the reports\n                                                                                                             were archived indicating that they\n                                                                                                             had been run.\n                          The ability to view, modify, or          Inquired with appropriate personnel       Payroll Office Users\n                          transfer information contained in the    and inspected a haphazard sample of       Seven of 45 payroll office users\xe2\x80\x99\n                          payroll master files is restricted to    45 access request forms to confirm the    SAAR forms selected for testing\n                          authorized personnel.                    master file is restricted to authorized   contained an authorization for\n                                                                   personnel.                                access on the SAAR form, which\n                                                                                                             did not match access granted within\n                                                                                                             DCPS. In addition, one of 45\n                                                                                                             payroll office user\xe2\x80\x99s SAAR forms\n                                                                                                             selected for testing did not contain a\n                                                                                                             supervisor\xe2\x80\x99s signature.\n\n                                                                                                             Non-Payroll Office Users\n                                                                                                             Four of 45 non-payroll office users\xe2\x80\x99\n                                                                                                             SAAR forms selected for testing\n                                                                                                             contained an authorization for\n                                                                                                             access on the SAAR form, which\n                                                                                                             did not match access granted within\n                                                                                                             DCPS. In addition, four of the 45\n                                                                                                             non-payroll office users\xe2\x80\x99 SAAR\n                                                                                                             forms could not be located.\n                          Requests to change the payroll master    Inspected a random sample of 45           DFAS-Denver\n                          file data and withholding table are      Remedy Tickets and inquired with          One out of 45 Remedy Tickets\n                          submitted on prenumbered Remedy          appropriate personnel to confirm the      selected was not completed within\n                          Tickets; the numerical sequence of the   requests:                                 the required time frame.\n                          Remedy Tickets is accounted for to\n                          ensure that the requested changes are    \xe2\x80\xa2 Were prenumbered;                       DFAS-Pensacola\n                          processed timely. Access to source                                                 Four out of 45 Remedy Tickets\n                          documents is controlled and key          \xe2\x80\xa2 That the sequence was accounted         were not completed within the\n                          source documents require signatures        for so that the Remedy Tickets          required time frame.\n                          from management.                           were accounted for timely;\n                                                                                                             DFAS-Charleston\n                                                                   \xe2\x80\xa2 That access to the source               Two out of 45 Remedy Tickets\n                                                                     documents was restricted, and           were not completed within the\n                                                                                                             required time frame.\n                                                                   That key source documents had\n\n\n                                                          38\n\x0cNo.       Control Objective                Control Activities                         Tests Performed                          Results of Testing\n                                                                                      required signatures from management.\n      9   All application users are        Policies and procedures are                Read policies and procedures and         No relevant exceptions noted.\n          appropriately identified and     documented to describe that                inquired with appropriate personnel to\n          authenticated. Access to the     application users are appropriately        confirm that policies and procedures\n          application and output is        identified and authenticated. Access to    related to the identification and\n          restricted to authorized users   the application and output is restricted   authentication of DCPS users existed\n          for authorized purposes.         to authorized users for authorized         and were documented.\n                                           purposes.\n                                           On-line access logs are maintained by      Inspected access logs and emails for     No relevant exceptions noted.\n                                           the System Management Office               unauthorized access attempts and\n                                           (SMO), and the logs are reviewed           inquired with appropriate personnel to\n                                           regularly for unauthorized access          confirm that logs were maintained by\n                                           attempts.                                  the SMO, and the logs were reviewed\n                                                                                      regularly for unauthorized access\n                                                                                      attempts.\n                                           Each operator is required to have a        Inspected a randomly selected sample     Payroll Office Users:\n                                           completed a systems access                 of 45 user authorization forms and       Seven of 45 payroll office users\xe2\x80\x99\n                                           authorized authorization form before       inquired with appropriate personnel to   SAAR forms selected for testing\n                                           being granted access to the system.        confirm the user on the form was         contained an authorization for\n                                                                                      properly authorized and that the         access on the SAAR form, which\n                                           The ability to view, modify, or            access granted on the form matched       did not match access granted within\n                                           transfer information contained in the      the access granted within DCPS.          DCPS; and one of 45 payroll office\n                                           payroll master files is restricted to                                               user\xe2\x80\x99s SAAR forms selected for\n                                           authorized personnel.                                                               testing did not contain a\n                                                                                                                               supervisor\xe2\x80\x99s signature.\n\n                                                                                                                               Non-Payroll Office Users:\n                                                                                                                               Four of 45 non-payroll office users\xe2\x80\x99\n                                                                                                                               SAAR forms selected for testing\n                                                                                                                               contained an authorization for\n                                                                                                                               access on the SAAR form, which\n                                                                                                                               did not match access granted within\n                                                                                                                               DCPS. In addition, four of the 45\n                                                                                                                               non-payroll office users\xe2\x80\x99 SAAR\n                                                                                                                               forms could not be located.\n                                           Departmental managers periodically         Inspected the Personnel/Payroll          No relevant exceptions noted.\n                                           review listings, such as the               Reconciliation and Control of Hours\n                                           Personnel/Payroll Reconciliation and       Reports and inquired with appropriate\n                                           Control of Hours Report, of current        personnel to confirm the reports were\n\n\n\n                                                                            39\n\x0cNo.        Control Objective                Control Activities                        Tests Performed                          Results of Testing\n                                            employees within their departments        generated and being reviewed by\n                                            and notify the personnel department of    management.\n                                            necessary changes.\n      10   Controls provide reasonable      Policies and procedures are               Read policies and procedures and         No relevant exceptions noted.\n           assurance that data              documented to describe that               inquired with appropriate personnel to\n           transmissions in DCPS from       management ensures data                   confirm that policies and procedures\n           user organizations are           transmissions in DCPS from                related to the processing of DCPS\n           authorized, complete, accurate   organizations are authorized,             data transmissions existed and were\n           and secure.                      complete, accurate and secure.            documented.\n                                            Compliance with the payroll               Inspected pay processing schedules,      No relevant exceptions noted.\n                                            disbursement processing schedule is       observed the payroll disbursement\n                                            monitored by management.                  process, and inquired with appropriate\n                                                                                      personnel to confirm the management\n                                                                                      monitored and reviewed the payroll\n                                                                                      disbursement processing schedule.\n                                            Each operator is required to have a       Inspected a randomly selected sample     Payroll Officer Users:\n                                            completed systems access authorized       of 45 user authorization forms and       Seven of 45 payroll office users\xe2\x80\x99\n                                            authorization form before being           inquired with appropriate personnel to   SAAR forms selected for testing\n                                            granted access to the system.             confirm that each operator was           contained an authorization for\n                                                                                      required to have an authorization form   access on the SAAR form, which\n                                            Authorization profiles over users limit   before being granted access to the       did not match access granted within\n                                            what transactions data entry personnel    system and that profiles for user\xe2\x80\x99s      DCPS; and one of 45 payroll office\n                                            can enter.                                limit what transactions data entry       user\xe2\x80\x99s SAAR forms selected for\n                                                                                      personnel can enter.                     testing did not contain a\n                                                                                                                               supervisor\xe2\x80\x99s signature.\n\n                                                                                                                               Non-Payroll Office Users:\n                                                                                                                               Four of 45 non-payroll payroll\n                                                                                                                               office users\xe2\x80\x99 SAAR forms selected\n                                                                                                                               for testing contained an\n                                                                                                                               authorization for access on the\n                                                                                                                               SAAR form, which did not match\n                                                                                                                               access granted within DCPS. In\n                                                                                                                               addition, four of the 45 non-payroll\n                                                                                                                               office users\xe2\x80\x99 SAAR forms could not\n                                                                                                                               be located.\n\n\n\n\n                                                                            40\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                          Results of Testing\n                          Remote terminal connections are          Observed remote terminal connections     DFAS-Charleston\n                          secured and are connected via            and inquired with appropriate            Users had access to DCPS from\n                          government issued computers.             personnel to confirm they were           remote locations using Secure Web\n                                                                   secured and are connected via            Access over non-DoD furnished\n                                                                   government computers.                    equipment. As a mitigating\n                                                                                                            circumstance, these users were still\n                                                                                                            subject to DCPS user access\n                                                                                                            controls (for example, a user would\n                                                                                                            still have to sign into DCPS with a\n                                                                                                            unique user ID and password).\n                          Data entry terminals are connected to    Observed after-hours processes and       No relevant exceptions noted.\n                          the system only during specified         inquired with appropriate personnel to\n                          periods of the day, which corresponds    confirm terminals were not connected\n                          with the business hours of the data      after business hours.\n                          entry personnel.\n                          User identification (ID) and             Observed the DCPS log-in process         No relevant exceptions noted.\n                          passwords are required to gain access    and inquired with appropriate\n                          to the DCPS application.                 personnel to confirm that user IDs and\n                                                                   passwords were required to gain\n                                                                   access to the DCPS application.\n                          On-line access logs are maintained by    Inspected access logs and emails and     No relevant exceptions noted.\n                          the SMO, and the logs are reviewed       inquired with appropriate personnel to\n                          regularly for unauthorized access        confirm that logs were maintained by\n                          attempts.                                the SMO and the logs were reviewed\n                                                                   regularly for unauthorized access\n                                                                   attempts.\n                          Each terminal automatically              Observed system inactivity and           No relevant exceptions noted.\n                          disconnects from the system when not     Inquired with appropriate personnel to\n                          used after a specified period of time.   confirm that each terminal\n                                                                   automatically disconnected from the\n                                                                   system when not used after a specified\n                                                                   period of time.\n                          When terminals are not in use,           Observed facility and inquired with      No relevant exceptions noted.\n                          terminal rooms are locked, or the        appropriate personnel to confirm that\n                          terminals are capable of being           when terminals were not in use,\n                          secured.                                 terminal rooms were locked, or the\n                                                                   terminals were capable of being\n                                                                   secured.\n\n\n\n\n                                                         41\n\x0cNo.        Control Objective                 Control Activities                        Tests Performed                          Results of Testing\n      11   Controls are reasonable to        Policies and procedures are               Read policies and procedures and         No relevant exceptions noted.\n           ensure that transmissions from    documented to describe that               inquired with appropriate personnel to\n           interfacing systems are           transactions from interfacing systems     confirm that policies and procedures\n           subjected to the payroll system   are subjected to the payroll system       related to the processing of interface\n           edits, validations and error-     edits, validations and error-correction   files existed and were documented.\n           correction procedures.            procedures.\n                                             A control group is responsible for        Inspected a haphazard sample of 45       DFAS-Denver\n                                             controlling and monitoring rejected       Personnel Interface Invalid Reports      Due to technical difficulties with\n                                             transmissions included on the             and inquired with appropriate            the document management system\n                                             Personnel Interface Invalid Report.       personnel who clear the Personnel        used to store the Personnel Interface\n                                                                                       Interface Invalid Reports to confirm     Invalid Reports, the Personnel\n                                                                                       the reports were used to identify and    Interface Invalid Reports could not\n                                                                                       resolve rejected transmissions.          be provided prior to March 27,\n                                                                                                                                2005, which represented 18 of the\n                                                                                                                                45 reports selected for testing.\n                                                                                                                                Additionally, one of the remaining\n                                                                                                                                27 reports available from March 28,\n                                                                                                                                2005 through June 30, 2005 could\n                                                                                                                                not be located, which left the\n                                                                                                                                sample of 26 to be reviewed.\n                                                                                                                                Annotations on 23 of the 26\n                                                                                                                                Personnel Interface Invalid Reports\n                                                                                                                                from March 28, 2005 through June\n                                                                                                                                30, 2005 did not include the\n                                                                                                                                corrective actions taken; 18 out of\n                                                                                                                                the 26 Personnel Interface Invalid\n                                                                                                                                Reports provided were not dated as\n                                                                                                                                completed, and 12 of the\n                                                                                                                                26 Personnel Interface Invalid\n                                                                                                                                Reports were not initialed as\n                                                                                                                                completed.\n\n                                                                                                                                DFAS-Charleston\n                                                                                                                                Due to the inability of the system to\n                                                                                                                                allow annotation of the Personnel\n                                                                                                                                Interface Invalid Reports and\n                                                                                                                                payroll office personnel performed\n                                                                                                                                an undocumented random review of\n                                                                                                                                the reports instead of a documented\n\n\n\n                                                                              42\n\x0cNo.   Control Objective   Control Activities                      Tests Performed                          Results of Testing\n                                                                                                           review all reports, the audit team\n                                                                                                           could not determine that the\n                                                                                                           Personnel Interface Invalid Reports\n                                                                                                           are properly corrected, annotated,\n                                                                                                           and reviewed by supervisors.\n                                                                                                           Therefore, testing of the reports at\n                                                                                                           DFAS Charleston payroll office\n                                                                                                           was not performed.\n\n                                                                                                           DFAS-Pensacola\n                                                                                                           Ten of the 44 Personnel Interface\n                                                                                                           Invalid Reports were not available\n                                                                                                           for review. The remaining\n                                                                                                           34 reports that were reviewed did\n                                                                                                           not always have the final resolution\n                                                                                                           of errors annotated in the report.\n                                                                                                           The Personnel Interface Invalid\n                                                                                                           Reports were not reviewed by a\n                                                                                                           supervisor to ensure all exceptions\n                                                                                                           noted on the report had been\n                                                                                                           corrected by the payroll technician.\n                          The data processing control group has   Inspected schedules used by the data     No relevant exceptions noted.\n                          a schedule by application that shows    processing group and inquired with\n                          when outputs should be completed,       appropriate personnel to confirm they:\n                          when they need to be distributed, who\n                          the recipients are, and the copies      \xe2\x80\xa2 Had a schedule by application that\n                          needed; reviews output products for       showed when outputs needed to be\n                          general acceptability; and reconciles     completed, when they needed to be\n                          control information to determine          distributed, who the recipients\n                          completeness of processing.               were, and the copies needed;\n\n                                                                  \xe2\x80\xa2 Reviewed output products for\n                                                                    general acceptability, and\n\n                                                                  \xe2\x80\xa2 Reconciled control information to\n                                                                    determine completeness of\n                                                                    processing.\n\n\n\n\n                                                        43\n\x0cNo.        Control Objective               Control Activities                        Tests Performed                          Results of Testing\n                                           The system provides an audit trail of     Inspected audit trails of transactions   No relevant exceptions noted.\n                                           all transactions processed, transaction   and inquired with appropriate\n                                           errors, error descriptions, and error     personnel to confirm that erroneous\n                                           correction procedures. Audit trails are   transactions were reviewed by\n                                           reviewed by supervisory personnel         supervisory personnel, captured,\n                                           and erroneous data are captured,          reported, investigated, and corrected.\n                                           reported, investigated, and corrected.\n                                           For interfacing systems, record counts    Inspected interface files and inquired   No relevant exceptions noted.\n                                           are accumulated and compared to           with appropriate personnel to confirm\n                                           footer control totals to help determine   that record counts matched control\n                                           the completeness of interface             totals in the footer to determine\n                                           processing. Out-of-balance conditions     completeness of interface processing\n                                           are reported, corrected and reentered.    and that out-of-balance conditions\n                                                                                     were reported, corrected and\n                                                                                     reentered.\n                                           Batch transactions without pre-           Observed batch process monitoring to     No relevant exceptions noted.\n                                           assigned serial numbers are               confirm transactions without pre-\n                                           automatically assigned a unique           assigned serial numbers were\n                                           sequence number, which is used by         automatically assigned a unique\n                                           the computer to monitor that all          sequence number.\n                                           transactions are processed.\n      12   Controls provide reasonable     Policies and procedures are               Read policies and procedures and         No relevant exceptions noted.\n           assurance that personnel        documented to describe that personnel     inquired with appropriate personnel to\n           payroll records and other       payroll records and other sensitive       confirm that policies and procedures\n           sensitive information is        information is maintained and             related to the maintenance of\n           maintained and disposed of in   disposed of in accordance with            personnel payroll records and other\n           accordance with Government-     Government-wide and agency specific       sensitive information existed and were\n           wide and agency specific        guidelines.                               documented.\n           guidelines.\n                                           All documents and storage media are       Observed storage processes and           No relevant exceptions noted.\n                                           stored in physically and                  inquired with appropriate personnel to\n                                           environmentally secure containers.        confirm documents and storage media\n                                                                                     were stored properly in\n                                                                                     environmentally secure containers.\n                                           All visitors to the Payroll Office must   Inspected visitor logs to the payroll    No relevant exceptions noted.\n                                           sign-in and out with the authorized       office and inquired with appropriate\n                                           security personnel.                       personnel to observe that visitors\n                                                                                     signed in with the authorized security\n                                                                                     personnel.\n\n\n\n                                                                           44\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                          Results of Testing\n                          All terminals and payroll records are    Observed the terminal rooms and          No relevant exceptions noted.\n                          located in physically secured            inquired with appropriate personnel to\n                          locations.                               confirm that access to the rooms was\n                                                                   restricted.\n                          Users dispose of personnel and payroll   Observed destruction bins and            No relevant exceptions noted.\n                          records in accordance with               inquired with appropriate personnel to\n                          government-wide and agency-specific      confirm that payroll records were\n                          guidelines.                              disposed of in accordance with\n                                                                   Government-wide and agency-specific\n                                                                   guidelines.\n\n\n\n\n                                                          45\n\x0cGeneral Computer Control Objectives, Activities, Test Procedures and Results of Testing\n\n  No.     Control Objective                  Control Activity                       Test Procedure                             Results of Testing\n          Enterprise-Wide Security\n          Program Planning\n   1      Risks are periodically assessed.   DFAS-Pensacola                         DFAS-Pensacola                             No relevant exceptions noted\n                                             DoD and DFAS policy both direct an     Inquired with security personnel\n                                             annual Information assurance review.   regarding the frequency of the risk\n                                             Review appropriate generated           assessment process.\n                                             documentation to ensure that these\n                                             processes are accomplished.            Inspected the latest Risk Assessment\n                                                                                    documented in the SSAA to confirm\n                                                                                    that risks were periodically assessed.\n   2      A security plan is documented,     DFAS-Pensacola                         DFAS-Pensacola                             No relevant exceptions noted\n          approved and kept current.         DoD and DFAS policy both direct an     Inspected the DCPS SSAA to confirm\n                                             annual Information assurance review.   it has been documented, kept current\n                                             Review appropriate generated           and appropriately approved by\n                                             documentation to ensure that these     management.\n                                             processes are accomplished.\n                                                                                    Inspected the DCPS Security Policy,\n                                                                                    Security Requirements, and\n                                                                                    Certification Test and Evaluation Plan\n                                                                                    and Procedures to confirm that each\n                                                                                    had been updated.\n   3                                                                                                                           Control objective left\n                                                                                                                               intentionally blank\n   4      Owners and users are aware of      DISA-Mechanicsburg                     DISA-Mechanicsburg                         No relevant exceptions noted\n          security policies.                 Ongoing security awareness             Inspected the Security Awareness\n                                             curriculum that include: New           Training materials to confirm they are\n                                             Employee Security Briefing; Annual     documented.\n                                             Security Briefing; Information\n                                             Assurance (IA) Awareness Training;     Selected a haphazard sample of\n                                             Courier Briefings; SF 312 Non-         45 employees and inspected their\n                                             Disclosure Briefing; Antiterrorism     training files to confirm the completion\n                                             Force Protection Briefings; System     of the necessary security training and a\n                                             Administrator (SA) Training, and a     signoff.\n                                             Security Page on Command Intranet\n                                             site.                                  Inspected the training sign-in sheets to\n\n\n\n                                                                         46\n\x0cNo.   Control Objective                 Control Activity                             Test Procedure                            Results of Testing\n                                                                                     confirm that employees attended\n                                                                                     annual training.\n\n                                                                                     Inspected documentation showing that\n                                                                                     management had active security\n                                                                                     awareness programs in place that\n                                                                                     proactively emphasized the security\n                                                                                     policies to data owners and users.\n\n                                        DFAS-Pensacola                               DFAS-Pensacola\n                                        Ongoing security awareness programs          Inspected the Security Awareness\n                                        that include initial training and periodic   Training materials to confirm they\n                                        refresher training.                          were documented.\n\n                                                                                     Selected a haphazard sample of\n                                                                                     employees and inspected their training\n                                                                                     files to confirm the completion of the\n                                                                                     necessary security training and a\n                                                                                     signoff.\n\n                                                                                     Inspected the training database to\n                                                                                     confirm that employees attended\n                                                                                     annual training.\n\n                                                                                     Inspected documentation that\n                                                                                     management had active security\n                                                                                     awareness programs in place that\n                                                                                     proactively emphasized the security\n                                                                                     policies to data owners and users.\n5     An incident response capability   DISA-Mechanicsburg                           DISA-Mechanicsburg                        No relevant exceptions noted\n      has been implemented.             DISA Policy Letter 05-04 \xe2\x80\x9cComputer           Inspected the incident plan detailed in\n                                        Security Incident Handling and               the SSAA to confirm it was\n                                        Reporting\xe2\x80\x9d May 4, 2005, has been             documented.\n                                        implemented.\n                                                                                     Selected a haphazard sample of\n                                                                                     incidents and observed the incidents\n                                                                                     were addressed based on the incident\n                                                                                     response plan.\n\n\n\n\n                                                                       47\n\x0cNo.   Control Objective                    Control Activity                         Test Procedure                             Results of Testing\n 6    Hiring, transfer, termination, and   DISA-Mechanicsburg                       DISA-Mechanicsburg                         No relevant exceptions noted\n      performance policies address         Personnel and Industrial Security        Inspected the hiring, transfer,\n      security.                            Program(s) implemented in accordance     termination and performance policies\n                                           with DoD 5200.2-R, DoD Directive         to confirm they were documented and\n                                           (DoDD) 8500.1, DoDI 8500.2, and the      addressed security requirements.\n                                           Computing Services Security\n                                           Handbook.                                Inquired with security personnel to\n                                                                                    confirm that debriefs were conducted\n                                                                                    when employees were terminated and\n                                                                                    that a DISA Form 70 was used to note\n                                                                                    the collection of DISA property.\n\n                                                                                    Observed that a checkout form was\n                                                                                    sent to the System Administrator to\n                                                                                    document that system access had been\n                                                                                    removed for a terminated employee.\n7     A training program is                DISA-Mechanicsburg                       DISA-Mechanicsburg                         There was no structured\n      implemented to provide               A robust Security Awareness              Inquired with the security personnel to    functional training program\n      assurance that employees have        curriculum that includes: New            confirm that a training program was        established at\n      adequate training and expertise.     Employee Security Briefing; Annual       established.                               DISA-Mechanicsburg for all\n                                           Security Briefing; information                                                      DCPS personnel. In addition,\n                                           assurance Awareness Training; Courier    Inspected documentation to confirm         there was no process in place to\n                                           Briefings; SF 312 Non-Disclosure         the existence of a training program.       independently verify users\n                                           Briefing; Antiterrorism Force                                                       completed training and\n                                           Protection Briefings; and SA             Inspected training materials to confirm    submitted completion\n                                           Certification/Training has been          they provided personnel with adequate      statements. However,\n                                           implemented.                             training.                                  DISA-Mechanicsburg did have\n                                                                                                                               a process for users to obtain\n                                                                                    Selected a haphazard sample of             training.\n                                                                                    45 employees who had access to DCPS\n                                                                                    and inspected their training records to\n                                                                                    confirm specific job function training\n                                                                                    was occurring.\n\n                                           DFAS-Pensacola                           DFAS-Pensacola\n                                           An ongoing security awareness            Inquired with the Information Security\n                                           programs that include initial training   Officer (ISO) to confirm that a training\n                                           and periodic refresher training is       program was established.\n                                           implemented.\n\n\n\n                                                                         48\n\x0cNo.   Control Objective                    Control Activity                         Test Procedure                             Results of Testing\n                                                                                    Inspected documentation to confirm\n                                           Additionally the DCPS SSAA includes      the existence of a training program.\n                                           an Appendix J, System Rules of\n                                           Behavior, which describes the IA         Inspected training materials to confirm\n                                           operations of the DoD information        they provided personnel with adequate\n                                           system and clearly delineates IA         training and expertise.\n                                           responsibilities and expected behavior\n                                           of all personnel.                        Selected a haphazard sample of\n                                                                                    45 employees who had access to DCPS\n                                                                                    and inspected their training records to\n                                                                                    confirm specific job function training\n                                                                                    was occurring.\n8     Management periodically              DISA-Mechanicsburg                       DISA-Mechanicsburg                         No relevant exceptions noted\n      assesses the appropriateness of      The Director\xe2\x80\x99s Policy Letters (DPLs)     Inquired with the Security Officer to\n      security policies and compliance     and Standard Operating Procedures        confirm management assessed the\n      with them.                           (SOP) are reviewed and updated. SRR      appropriateness of the security policies\n                                           are conducted at least every three       and compliance with them.\n                                           years.\n                                                                                    Inspected the DCPS Security\n                                                                                    Requirements and Information Systems\n                                                                                    Security Policy Certification Test and\n                                                                                    Evaluation Procedures to confirm that\n                                                                                    an annual IA review was conducted\n                                                                                    and that comprehensive vulnerability\n                                                                                    management was in place.\n9     Management ensures that              DISA-Mechanicsburg                       DISA-Mechanicsburg                         No relevant exceptions noted\n      corrective actions are effectively   The Vulnerability Management System      Observed the SRR process to confirm\n      implemented.                         (VMS) is used to track findings from     that corrective actions were effectively\n                                           the SRR process. DECC MECH               implemented for identified SRR\n                                           management is responsible for tracking   findings.\n                                           and closing all findings that resulted\n                                           from the SRR process.                    Selected a haphazard sample of SRRs\n                                                                                    and inspected the VMS reports to\n                                                                                    confirm findings identified by the SRR\n                                                                                    process were addressed.\n\n                                                                                    Inspected prior audit reports or reviews\n                                                                                    to confirm findings and\n                                                                                    recommendations presented were\n\n\n\n                                                                       49\n\x0cNo.   Control Objective                  Control Activity                             Test Procedure                             Results of Testing\n                                                                                      addressed.\n\n                                         DFAS-Pensacola                               DFAS-Pensacola\n                                         Management tracks the observations of        Inspected prior audit reports or reviews\n                                         prior audit reports and confirms that        to confirm findings and\n                                         observations are corrected in a timely       recommendations presented were\n                                         manner.                                      addressed.\n10    A comprehensive vulnerability      DISA-Mechanicsburg                           DISA-Mechanicsburg                         No relevant exceptions noted\n      management process that            Vulnerabilities are tracked in the VMS       Inspected the vulnerability\n      includes the systematic            database. Prior to connection to the         management policy and documentation\n      identification and mitigation of   network, the SA must run a VS08              to confirm that the process included\n      software and hardware              report detailing Information Assurance       systematic identification and mitigation\n      vulnerabilities is in place.       Vulnerability Management (IAVM)              of software and hardware\n                                         notices for the asset's operating system.    vulnerabilities.\n                                         All IAVM notices must be mitigated\n                                         and applicable patches loaded prior to       Inspected the most recent vulnerability\n                                         connecting the asset to the network.         assessment to confirm that\n                                         Once all checklists have been applied        vulnerabilities were being identified,\n                                         from the STIG and the vulnerability          and resolved after identification.\n                                         alerts have been installed, a SRR and\n                                         an ISS scan will be conducted of the         Inspected the VMS reports for the audit\n                                         operating system. Security                   period to confirm vulnerabilities were\n                                         assessments that require a scan will use     tracked and resolved in a timely\n                                         the Internet Security Scanner (ISS) and      manner.\n                                         the FSO Full Scan Policy. The scan\n                                         will be conducted using a direct\n                                         connection from the system running\n                                         ISS to the system being assessed or the\n                                         site is authorized to connect the asset to\n                                         an isolated network during the ISS\n                                         scan. Each site will place their self-\n                                         assessment in the Security Readiness\n                                         Review Database (SRRDB). If the\n                                         systems have a database, web server, or\n                                         any other software that has a STIG,\n                                         they must go through a FSO SRR and\n                                         the results put in the self-assessment of\n                                         the SRR database.\n\n\n\n\n                                                                        50\n\x0cNo.   Control Objective                    Control Activity                            Test Procedure                              Results of Testing\n11    Changes to the DoD information       DFAS-Pensacola                              DFAS-Pensacola                              No relevant exceptions noted\n      system are assessed for IA and       All changes made at are captured in the     Inquired with DCPS management to\n      accreditation impact prior to        Change Management Information               confirm that management assessed\n      implementation.                      System (CMIS). Information included         whether changes complied with\n                                           in each change record is the requested      Information Assurance requirements\n                                           time and date of implementation, the        and changes impacted accreditation\n                                           action to occur, and justification of the   before moving the changes into the\n                                           action.                                     production environment.\n\n                                                                                       Observed outputs of CMIS to confirm\n                                                                                       that the information included in each\n                                                                                       change record included the requested\n                                                                                       time and date of implementation, the\n                                                                                       action to occur, and justification of the\n                                                                                       action.\n12    A DoD reference document             DISA-Mechanicsburg                          DISA-Mechanicsburg                          No relevant exceptions noted\n      constitutes the primary source for   DISA has developed and requires             Inspected the DISA STIG to confirm\n      security configuration or            compliance with the STIGs appropriate       that they constituted the primary source\n      implementation guidance for the      to the operating system, application or     configuration or implementation\n      deployment of newly acquired         hardware.                                   guidance for the deployment of newly\n      IA- and IA-enabled Information                                                   acquired IA- and IA-enabled products.\n      Technology (IT) products.\n      Access Controls\n13    Owners have classified resources     DFAS-Pensacola                              DFAS-Pensacola                              No relevant exceptions noted\n      and related criteria have been       Management has classified DCPS              Inspected the DCPS SSAA and\n      established.                         according to appropriate MAC level          inquired with data owners to confirm\n                                           standards.                                  that a MAC level was assigned to\n                                                                                       DCPS.\n14    Resource owners have identified      DFAS-Pensacola                              DFAS-Pensacola                              No relevant exceptions noted\n      authorized users and their access    The SAAR DD-2875 form is used to            Selected a haphazard sample of TSO\n      authorized.                          identify authorized users and control       users from the TSO user list and\n                                           their access.                               inspected their user access request\n                                                                                       forms for existence and approval of\n                                                                                       management.\n\n                                                                                       Observed the DCPS application to\n                                                                                       confirm that users possessed a valid\n                                                                                       User ID and password to gain access to\n                                                                                       the system.\n\n\n\n                                                                         51\n\x0cNo.   Control Objective                Control Activity                    Test Procedure                              Results of Testing\n\n                                                                           Inquired with security managers to\n                                                                           confirm that supporting documentation\n                                                                           was provided to them.\n\n                                                                           Reviewed supporting documentation to\n                                                                           confirm that inappropriate access was\n                                                                           removed in a timely manner.\n\n                                                                           Inspected a haphazard sample of\n                                                                           45 profile changes and activity logs to\n                                                                           confirm that management reviewed the\n                                                                           changes and logs.\n\n                                                                           Observed the entire population of ten\n                                                                           terminated or transferred employees\n                                                                           during the audit period to confirm that\n                                                                           their system access was promptly\n                                                                           terminated within the system.\n15    Emergency and temporary access   DISA-Mechanicsburg                  DISA-Mechanicsburg                          No relevant exceptions noted\n      authorization is controlled.     Emergency and temporary access      Inspected the emergency and\n                                       authorization are controlled in     temporary access policy to confirm it\n                                       accordance with DoD 5200.1-R; DoD   was documented.\n                                       5200.2-R; DoDD 8500.1; DoDI\n                                       8500.2, and Computing Services      Selected a random sample of 45 days\n                                       Security Handbook.                  of emergency and temporary access\n                                                                           requests and:\n\n                                                                               \xe2\x80\xa2    Confirmed that the\n                                                                                    authorization was approved\n                                                                                    and that access was closed in\n                                                                                    a timely manner.\n                                                                               \xe2\x80\xa2    Confirmed that the emergency\n                                                                                    and temporary access list was\n                                                                                    periodically reviewed.\n                                                                               \xe2\x80\xa2    Confirmed that all temporary\n                                                                                    access authorizations were\n                                                                                    established for least privileged\n                                                                                    need-to-know access.\n\n\n                                                                52\n\x0cNo.   Control Objective                Control Activity                            Test Procedure                           Results of Testing\n16    Owners determine disposition     DFAS-Pensacola                              DFAS-Pensacola                           Forty-three of 148 DCPS\n      and sharing of data.             Documented policies and procedures          Inspected documents authorizing file     interfaces did not have a\n                                       are in the SSAA that govern the             sharing and file sharing agreements to   documented MOA or MOU\n                                       sharing of data.                            confirm the owners approved the\n                                                                                   sharing of data.\n\n                                                                                   Inspected the DCPS SSAA to confirm\n                                                                                   that a MAC level was assigned to\n                                                                                   DCPS.\n\n                                                                                   Inquired with key personnel to confirm\n                                                                                   that a MOA or a MOU was\n                                                                                   documented for all interfaces into\n                                                                                   DCPS.\n17    Adequate physical security       DISA-Mechanicsburg                          DISA-Mechanicsburg                       No relevant exceptions noted\n      controls have been implemented   All DISA facilities at DECC ME are          Observed that physical safeguards were\n      that are commensurate with the   locked at all times. Access is restricted   in place.\n      risks of physical damage or      using proximity cards, with PIN\n      access.                          technology, which are controlled and        Observed that facility penetration\n                                       issued by the Security Manager.             testing processes were in place.\n\n\n                                       The Naval Inventory Control Point\n                                       conducts periodic, unannounced\n                                       penetration testing to confirm that\n                                       physical security is adequate.\n\n                                       DECC MECH SSAA requires the\n                                       performance of physical security\n                                       inspections by the Security Office.\n18    Visitors are controlled.         DISA-Mechanicsburg                          DISA-Mechanicsburg                       The visitors log used by the\n                                       Visitor\xe2\x80\x99s are controlled in accordance      Inspected the visitor policy,            DFAS TSO facility was not\n                                       with DoD 5200.2-R; 5200.1-R and the         procedures, and logs to confirm they     fully completed for each visitor.\n                                       Computing Services Security                 were documented.                         However, all visitors had visitor\n                                       Handbook. Utilize access control                                                     badges that required them to\n                                       database; proxy/pin technology; vetted      Observed the visitor check-in and        enter the facility through only\n                                       badge exchange; Access Control              check-out process to confirm visitors    one guarded entrance.\n                                       Monitor Personnel; visitors log, Visit      were logged.\n                                       authorization Requests.\n\n\n\n                                                                     53\n\x0cNo.   Control Objective                  Control Activity                          Test Procedure                            Results of Testing\n                                                                                   Inquired with physical security\n                                                                                   personnel and observed that visitor\n                                                                                   access to DoD information was\n                                                                                   determined by both its classification\n                                                                                   and user need-to-know.\n\n                                         DFAS-Pensacola                            DFAS-Pensacola\n                                         All visitors must sign-in and out with    Inspected the visitor policy and\n                                         the guard on duty.                        procedures to confirm it was\n                                                                                   documented.\n                                         The DCPS SSAA requires all non-\n                                                                                   Observed the visitor check-in and\n                                         cleared personnel to be escorted at all\n                                                                                   check-out process to confirm all\n                                         times while inside the building.\n                                                                                   visitors were logged.\n\n                                                                                   Inquired with physical security\n                                                                                   personnel and observed that visitor\n                                                                                   access to DoD information was\n                                                                                   determined by both its classification\n                                                                                   and user need-to-know.\n19    Adequate logical access controls   User IDs and passwords are configured     DFAS-Pensacola                            The current version of Access\n      have been implemented at the       according to DISA standards.              Observed that each TSO user account       Control Facility 2 (ACF2) does\n      application layer.                                                           was assigned a security profile that      not allow for password character\n                                                                                   restricted access.                        complexity as required by DoDI\n                                                                                                                             8500.2. However, access to\n                                                                                   Selected a haphazard sample of            DCPS was still subject to\n                                                                                   45 TSO users from the TSO user list       password controls that included\n                                                                                   and inspected their user access request   periodic changing and minimum\n                                                                                   forms for existence and approval of       character lengths.\n                                                                                   management.\n\n                                                                                   Observed the DCPS application to\n                                                                                   confirm that TSO users possessed a\n                                                                                   valid User ID and password to gain\n                                                                                   access to the system.\n\n                                                                                   Inquired with security personnel and\n                                                                                   observed supporting documentation to\n                                                                                   confirm that inappropriate access was\n\n\n\n                                                                       54\n\x0cNo.   Control Objective                    Control Activity                           Test Procedure                             Results of Testing\n                                                                                      removed in a timely manner.\n\n                                                                                      Confirm that password parameters\n                                                                                      were in compliance with DoD\n                                                                                      Instruction 8500.2 password\n                                                                                      requirements.\n\n                                                                                      Inspected documentation for a\n                                                                                      haphazard sample of 45 terminated\n                                                                                      employees to confirm that system\n                                                                                      access was promptly terminated.\n20    Passwords, tokens, or other          DFAS-Pensacola                             DFAS-Pensacola                             No relevant exceptions noted\n      devices are used to identify and     Multiple layers of access controls are     Observed the DCPS application to\n      authenticate users.                  used including; Common Access Card         confirm that users needed a valid User\n                                           (CAC) and personal identification          ID and Password to gain access to the\n                                           number, DCPS userid and password,          system.\n                                           and a RSA SecurID for Database\n                                           Administration, Configuration              Inspected system parameters to\n                                           Management, Security, and Tech             confirm that the system required a User\n                                           Support.                                   ID and Password.\n21    Access paths are identified as       DISA-Mechanicsburg                         DISA-Mechanicsburg                         The firewalls supporting the\n      part of a risk analysis and          Access paths are identified as part of     Inquired with network support              access path to DCPS were no\n      documented in an access path         the Mechanicsburg Enclave SSAA and         personnel that user management             longer supported by the vendor\n      diagram.                             documented in the network diagram          controls, firewalls, intrusion detection   and, therefore, were not\n                                           within the SSAA.                           systems (IDS), and authentications         configured with rules. To\n                                                                                      were all used to control network           compensate for the lack of\n                                           Firewalls and routers are used to          access.                                    firewall rules, the routers\n                                           restrict access within the network.                                                   supporting this access path were\n                                                                                      Inspected the network diagrams for         configured to deny all requests\n                                                                                      DISA-Mechanicsburg to confirm that         except for items included on\n                                                                                      access paths were documented and           their access control lists.\n                                                                                      monitored by intrusion detection\n                                                                                      systems.\n22    Access is restricted to data files   DISA-Mechanicsburg                         DISA-Mechanicsburg                         No relevant exceptions noted\n      and software programs.               The DISA System Support Office             Inspected ACF2 user profiles for the\n                                           (SSO), a unit independent of DECC          DCPS system to confirm that\n                                           operations, is responsible for             administrator level access restrictions\n                                           maintaining the system libraries.          were established around the data files\n                                           Access to system libraries is restricted   and software programs.\n\n\n\n                                                                          55\n\x0cNo.   Control Objective                 Control Activity                            Test Procedure                              Results of Testing\n                                        to authorized individuals                   Inspected the access logs and inquired\n                                                                                    with security personnel to confirm that\n                                                                                    the access logs were reviewed for\n                                                                                    inappropriate access and that system\n                                                                                    libraries were managed and maintained\n                                                                                    to protect privileged programs.\n23    Access settings have been         DISA-Mechanicsburg                          DISA-Mechanicsburg                          Access justification was not\n      implemented in accordance with    Access settings have been implemented       Inspected a haphazard sample of             documented on the Form\n      the access authorizations         in accordance with the access               SAAR Form DD2875s to confirm that           DD2875 for four of\n      established by the resource       authorizations established by signature     each form detailed the system support       45 DISA-Mechanicsburg\n      owners.                           authority of resource owner on Form         user\xe2\x80\x99s justification for access, security   personnel.\n                                        DD2875 and in accordance with               clearance level, and that each Form\n                                        DoDD 8500.1; DoDI 8500.2 and                DD2875 was properly approved.               One of 45 users had access to\n                                        STIGs.                                                                                  the DCPS production\n                                                                                    DFAS-Pensacola                              environment that was not\n                                        DFAS-Pensacola                              Inspected a haphazard sample of             authorized on their Form\n                                        The Technical Support Office assigns        SAAR Form DD2875s to confirm that           DD2875.\n                                        security profiles to each userid based      each form detailed the TSO user\xe2\x80\x99s\n                                        on need to know as demonstrated by an       justification for access, security\n                                        approved Form DD2875, request for           clearance level, and that each Form\n                                        system access. TSOPE Database               DD2875 was properly approved.\n                                        Administrator also assigns security\n                                        profiles to development users through\n                                        the Integrated Database management\n                                        System (IDMS) which restricts access\n                                        to program libraries and databases.\n24    Telecommunications controls are   DISA-Mechanicsburg                          DISA-Mechanicsburg                          The firewalls supporting the\n      properly implemented in            Remote access to the Internet is           Inspected the telecommunications            access path to DCPS were no\n      accordance with authorizations     regulated by positive technical            policy to confirm that is was               longer supported by the vendor\n      that have been granted.            controls such as firewalls, routers, and   documented.                                 and, therefore, were not\n                                         proxy services and screened subnets,                                                   configured with rules. To\n                                         also called demilitarized zones            Observed the existence                      compensate for this lack of\n                                         (DMZ), or through systems that are         telecommunication monitoring                firewall rules, the routers\n                                         isolated from all other DoD                controls.                                   supporting this access path were\n                                         information systems through physical                                                   configured to deny all requests\n                                         means.                                     Obtained firewall rules to confirm they     except for items included on\n                                                                                    were documented.                            their access control list.\n                                        There is a remote dial-in router\n                                        provided for Systems Administrators\n\n\n\n                                                                      56\n\x0cNo.   Control Objective                    Control Activity                           Test Procedure                          Results of Testing\n                                            which requires Secure Shell\n                                            restrictions. Enterprise Security\n                                            Manager is installed on some of these\n                                            systems.\n25    Procedures are in place to clear     DISA-Mechanicsburg                         DISA-Mechanicsburg                      No relevant exceptions noted\n      sensitive information and            All documents, equipment, and              Inspected the Disposition of\n      software from computers, disks,      machine-readable media containing          Unclassified DoD Computer Hard\n      and other equipment or media         sensitive data are cleared and sanitized   Drives policy to confirm it was\n      when they are disposed of or         before being released, and sign off is     documented.\n      transferred to another use.          required to certify the destruction of\n                                           such media.                                Observed the access controls to the\n                                                                                      media while it was waiting to be\n                                                                                      cleared or destroyed.\n\n                                                                                      Observed the procedures in place to\n                                                                                      clear or destroy equipment and media.\n26    Audit trails are maintained at the   DISA-Mechanicsburg and DFAS-               DISA-Mechanicsburg                      No relevant exceptions noted\n      application layer, operating         Pensacola                                  Inquired with security personnel to\n      system (OS), and database layer.     A security audit trail is implemented      confirm that audit trails were\n                                           for each system that documents the         implemented at the application and\n                                           identity of each person/device having      operating system levels.\n                                           access to a system, the time of that\n                                           access, user activity, and any actions     Inspected the audit log to confirm\n                                           which attempt to change security levels    system information was logged.\n                                           or privileges established for the user.\n                                                                                      Inquired with security personnel and\n                                                                                      observed that audit trails were\n                                                                                      maintained.\n\n                                                                                      DFAS-Pensacola\n                                                                                      Inquired with security personnel to\n                                                                                      confirm that audit trails were\n                                                                                      implemented at the application and\n                                                                                      operating system levels.\n\n                                                                                      Inspected the audit log to confirm\n                                                                                      system information was logged.\n\n                                                                                      Inquired with security personnel and\n\n\n\n                                                                         57\n\x0cNo.   Control Objective                   Control Activity                            Test Procedure                           Results of Testing\n                                                                                      observed that audit trails were\n                                                                                      maintained.\n27    The contents of audit trails are    DISA-Mechanicsburg                          DISA-Mechanicsburg                       No relevant exceptions noted\n      protected against unauthorized      Contents of audit trails are protected in   Confirmed that policies were\n      access, modification or deletion.   accordance with STIGs and the DISA          documented to limit access to audit\n                                          Computing Services Security                 trails.\n                                          Handbook.\n                                                                                      Observed access to the audit logs to\n                                          User\xe2\x80\x99s authorization for access to          confirm that activities that might\n                                          various systems is identified in each       modify, bypass, or negate safeguards\n                                          individual\xe2\x80\x99s new user agreement             controlled by the system and the audit\n                                          (completed when account is created).        trails were protected against\n                                                                                      unauthorized access, modification, or\n                                                                                      deletion.\n\n                                                                                      Observed that only selected/limited\n                                                                                      number of individuals such as the ISSO\n                                                                                      and Information Assurance Manager\n                                                                                      had access to the audit trails.\n\n                                          DFAS-Pensacola                              DFAS-Pensacola\n                                          Adheres to DITSCAP requirements for         Confirmed that policies were\n                                          system access and content, retention        documented to limit access to audit\n                                          and protection of audit trails. The         trails.\n                                          most recent testing of compliance with\n                                          DITSCAP guidance is contained in the        Observed access to the audit logs to\n                                          DCPS SSAA, Appendices H and P.              confirm that activities that might\n                                                                                      modify, bypass, or negate safeguards\n                                                                                      controlled by the system and the audit\n                                                                                      trails were protected against\n                                                                                      unauthorized access, modification, or\n                                                                                      deletion.\n\n                                                                                      Observed that only selected/limited\n                                                                                      number of individuals such as the ISSO\n                                                                                      and Information Assurance Manager\n                                                                                      had access to the audit trails.\n\n\n\n\n                                                                         58\n\x0cNo.   Control Objective                    Control Activity                          Test Procedure                            Results of Testing\n28    Tools are available for the review   DISA-Mechanicsburg                        DISA-Mechanicsburg                        No relevant exceptions noted\n      of audit records and for report      Tools are available for review through    Observed the audit tools to confirm\n      generation from audit records.       System Management Facility,               they existed.\n                                           DISPATCH and ACF2 report facility.\n                                                                                     Observed that reports were being\n                                                                                     generated and that they were reviewed\n                                                                                     by system security personnel.\n29    Actual or attempted                  DISA-Mechanicsburg                        DISA-Mechanicsburg                        No relevant exceptions noted\n      unauthorized, unusual, or            ACF2 is maintained at both DECC           Inspected copies of the policies and\n      sensitive network access is          MECH and the various payroll offices      procedures relating to access controls\n      monitored and suspicious or          by a series of security administrators    to confirm they were documented.\n      irregular access activity is         with differing roles (administration,\n      investigated and appropriate         user accounts etc.) The logs are          Inquired with the System Security\n      action taken.                        centrally reviewed at DECC MECH.          Administrator to confirm that system\n                                           Multiple unsuccessful login attempts      access such as unauthorized, unusual,\n                                           result in the account being locked. If    or sensitive access is monitored.\n                                           the account is unused for a specified\n                                           period then the account is deactivated.   Inquired with the SA to confirm that\n                                                                                     suspicious or irregular access activity\n                                                                                     was investigated and responses were\n                                                                                     taken.\n\n                                                                                     Inspected audit log reviews and\n                                                                                     incident reports to confirm that\n                                                                                     investigations and actions were taking\n                                                                                     place.\n30    The acquisition, development,        DISA-Mechanicsburg                        DISA-Mechanicsburg                        Software that supports mobile\n      and/or use of mobile code to be      Use of mobile code is only permitted      Inspected the DoD systems guidelines,     code was found on the DCPS\n      deployed in DoD systems meet         following a risk assessment,              standards, and regulations concerning     production Logical Partition\n      current guidelines, standards and    categorization of the mobile code, and    mobile codes to confirm they were         (LPAR). ACF2 was configured\n      regulations.                         counter measures have been                documented.                               to prevent non authorized code\n                                           implemented. A waiver has been                                                      from running on the DCPS\n                                           obtained from the responsible Chief       Inquired with the System                  LPAR.\n                                           Information Officers office.              Administrator to confirm that the\n                                                                                     acquisition, development, and/or use of\n                                                                                     mobile code to be deployed in DoD\n                                                                                     systems met current guidelines,\n                                                                                     standards and regulations.\n\n\n\n\n                                                                         59\n\x0cNo.   Control Objective                   Control Activity                          Test Procedure                            Results of Testing\n                                                                                    Inspected a list of software on the\n                                                                                    DCPS production environment for\n                                                                                    software that supported mobile codes.\n31    All servers, workstations and       DISA-Mechanicsburg                        DISA-Mechanicsburg                        No relevant exceptions noted\n      mobile computing devices            Anti-virus software is installed on       Observed that servers, workstations\n      implement virus protection that     personal computers, laptops, and          and mobile computing devices\n      includes a capability for           systems under DECC MECH control.          implemented virus protection that\n      automatic updates.                                                            allows the capability of automatic\n                                                                                    updates.\n32    All Virtual Private Network         DISA-Mechanicsburg                        DISA-Mechanicsburg                        No relevant exceptions noted\n      (VPN) traffic is visible to         ISS Real Secure is installed at various   Inquired with SAs to confirm that all\n      network IDS.                        points that give visibility into the      VPN traffic is visible to network IDS.\n                                          network traffic ingressing and\n                                          egressing the enclave.                    Inspected system network diagram and\n                                                                                    inquired with the SA to confirm that\n                                                                                    VPN traffic is included on the diagram.\n33    At a minimum, medium-               DISA-Mechanicsburg                        DISA-Mechanicsburg                        No relevant exceptions noted\n      robustness Commercial Off-the-      Appropriate IA products are               Inquired with security personnel to\n      Shelf (COTS) IA and IA-enabled      implemented to protect sensitive          confirm that at a minimum, medium-\n      products are used to protect        information when the information          robustness COTS IA and IA-enabled\n      sensitive information when the      transits public networks or the system    products were used to protect sensitive\n      information transits public         handling the information is accessible    information when the information\n      networks or the system handling     by individuals who are not authorized     transits public networks or the system\n      the information is accessible by    to access the information on the          handling the information was\n      individuals who are not             system.                                   accessible by individuals who were not\n      authorized to access the                                                      authorized to access the information on\n      information on the system.                                                    the system for each of the DCPS\n                                                                                    locations.\n\n                                                                                    Observed the use of access control\n                                                                                    software to confirm access to data was\n                                                                                    controlled.\n34    Unless there is an overriding       DISA-Mechanicsburg                        DISA-Mechanicsburg                        No relevant exceptions noted\n      technical or operational problem,   Work stations are locked                  Observed a haphazard sample of\n      workstation screen-lock             systematically after a period of          workstations to confirm screen-lock\n      functionality is associated with    inactivity in accordance with DoDI        functionality was applied.\n      each workstation.                   8500.2. A password is required to\n                                          unlock the workstation.\n\n\n\n\n                                                                        60\n\x0cNo.   Control Objective                     Control Activity                          Test Procedure                             Results of Testing\n                                            DFAS-Pensacola                            DFAS-Pensacola\n                                            The Desktop Management Initiative         Observed a haphazard sample of\n                                            (DMI) (not associated with TSOPE)         workstations to confirm screen-lock\n                                            controls the configuration of all DFAS    functionality was applied.\n                                            computers including the operating\n                                            system and the application of screen-\n                                            lock functionality.\n35    Instant messaging traffic to and      DISA-Mechanicsburg                        DISA-Mechanicsburg                         No relevant exceptions noted\n      from instant messaging clients        Use of Instant Messaging applications     Inquired with security personnel to\n      that are independently configured     is not permitted and network personnel    confirm that the use of instant\n      by end users and that interact        monitor common Firewall and system        messaging is against policy.\n      with a public service provider is     ports to identify and eliminate the use\n      prohibited within DoD                 of instant messaging applications.        Inspected firewall/router access control\n      information systems.                                                            lists (ACL) rules to confirm instant\n                                                                                      messaging was blocked.\n\n\n\n                                            DFAS-Pensacola                            DFAS-Pensacola\n                                            DMI controls the configuration of         Inquired with security personnel to\n                                            computers and instant messaging           confirm that the use of instant\n                                            program are not authorized. TSOPE         messaging was against policy.\n                                            monitors application usage through an\n                                            automated software auditing               Inquired with security personnel to\n                                            application that runs regularly when      confirm firewall rules were configured\n                                            users logon to their workstation.         to block instant messaging.\n                                            Instant messaging programs are\n                                            identified as part of that auditing       Inspected workstations to confirm that\n                                            process.                                  instant messaging software was not\n                                                                                      loaded and users did not have\n                                                                                      administrative rights to computer.\n36    For Automated Information             DISA-Mechanicsburg and DFAS-              DISA-Mechanicsburg                         No relevant exceptions noted\n      System (AIS) applications, a list     Pensacola                                 Inspected the site SSAA to confirm the\n      of all (potential) hosting enclaves   All interconnections of DoD               DCPS enclave was identified and\n      is developed and maintained           information systems are to be             documented.\n      along with evidence of                managed continuously to minimize risk\n      deployment planning and               by ensuring that the assurance of one     DFAS-Pensacola\n      coordination and the exchange of      system is not undermined by               Inspected the Service Level Agreement\n      connection rules and                  vulnerabilities of interconnected         between DISA and DFAS to confirm\n\n\n\n                                                                         61\n\x0cNo.   Control Objective                   Control Activity                         Test Procedure                             Results of Testing\n      requirements.                       systems                                  evidence of deployment planning and\n                                                                                   coordination, and the exchange of\n                                                                                   connection rules and requirements.\n37    Group authenticators for            DISA-Mechanicsburg and DFAS-             DISA-Mechanicsburg                         The DFAS-Pensacola personnel\n      application or network access       Pensacola                                Inquired with system security              who work in the DCPS\n      may be used only in conjunction     Group authenticators are not used for    personnel to confirm group                 operations room used group\n      with an individual authenticator.   DCPS or network access. Upon initial     authenticators for application, network    authentication to facilitate the\n                                          system login, a user\xe2\x80\x99s actions are       or operating system were used.             operations and maintenance of\n                                          tracked based on their unique user                                                  various payroll databases.\n                                          account.                                 If so, inquired to understand the reason\n                                                                                   behind the usage of group\n                                                                                   authenticators. (In many cases it was a\n                                                                                   system limitation)\n\n                                                                                   If so, inquired if users were\n                                                                                   authenticated individually prior to the\n                                                                                   use of a group authenticator.\n\n                                                                                   DFAS-Pensacola\n                                                                                   Confirmed through inquiry if group\n                                                                                   authenticators for application and\n                                                                                   network were used.\n\n                                                                                   If so, inquired to understand the reason\n                                                                                   behind the usage of group\n                                                                                   authenticators. (In many cases it was a\n                                                                                   system limitation)\n\n                                                                                   If so, inquired if users were\n                                                                                   authenticated individually prior to the\n                                                                                   use of a group authenticator.\n38    To help prevent inadvertent         DISA-Mechanicsburg                       DISA-Mechanicsburg                         No relevant exceptions noted\n      disclosure of controlled            Exchange Server Administration           Obtained and inspected a listing of\n      information, all contractors and    includes the specific configuration of   email addresses for DCPS contractors\n      foreign nationals are identified    email addresses and display names for    and foreign nationals to confirm their\n      by e-mail addresses and display     contractors and foreign nationals.       display names identified them as\n      names.                                                                       contractors or foreign nationals.\n\n\n\n\n                                                                       62\n\x0cNo.   Control Objective                     Control Activity                          Test Procedure                             Results of Testing\n39    Unclassified, sensitive data          DISA-Mechanicsburg                        DISA-Mechanicsburg                         Sensitive but unclassified\n      transmitted through a                 Encryption data streams are in the        Inquired with security personnel to        personnel and payroll data\n      commercial or wireless network        process of conforming to the Federal      confirm DCPS data was transmitted          transmitted within DoD internal\n      are encrypted using National          Information Processing Standards-140-     through a commercial or wireless           networks was not encrypted;\n      Institute of Standards and            2 standard.                               network and NIST cryptography was          however, DCPS traffic\n      Technology (NIST)-certified                                                     used to protect information when the       transmitted on non-DoD\n      cryptography.                                                                   information transmitted over               networks was encrypted.\n                                                                                      commercial or wireless networks.\n40    Discretionary access controls are     DISA-Mechanicsburg                        DISA-Mechanicsburg                         No relevant exceptions noted\n      a sufficient IA mechanism for         The SSAA requires that access to all      Inspected the user list from the\n      connecting DoD information            DoD information systems shall be          Discretionary Access Control (DAC)\n      systems operating at the same         based on a demonstrated need-to-know      of all individuals who had direct access\n      classification, but with different    and granted in accordance with            to the system software to confirm their\n      need-to-know access rules.            applicable laws and DoD 5200.2-R for      access was limited to a need-to-know\n                                            background investigations, special        basis.\n                                            access and IT position designations and\n                                            requirements. An appropriate security\n                                            clearance and non-disclosure\n                                            agreement are also required for access\n                                            to classified information in accordance\n                                            with DoD 5200.1-R.\n41    Conformance testing that              DISA-Mechanicsburg                        DISA-Mechanicsburg                         No relevant exceptions noted\n      includes periodic, unannounced,       Performs monthly vulnerabilities scans.   Inquired with security personnel that\n      in-depth monitoring and provides      DCPS and its hardware are reviewed        conformance testing was performed\n      for specific penetration testing to   by a FSO SRR.                             that included periodic, unannounced,\n      ensure compliance with all                                                      in-depth monitoring and provided for\n      vulnerability mitigation                                                        specific penetration testing to confirm\n      procedures is planned, scheduled,                                               compliance with all vulnerability\n      and conducted.                                                                  mitigation procedures were planned,\n                                                                                      scheduled, and conducted.\n\n                                                                                      Inspected documentation produced\n                                                                                      from conformance testing to confirm\n                                                                                      such testing was performed.\n42    All users are warned that they are    DISA-Mechanicsburg All DISA               DISA-Mechanicsburg                         No relevant exceptions noted\n      entering a Government                 networks and platforms present a          Observed that the DCPS LPAR system\n      information system.                   message to users upon logon, which        parameters were set to display a DoD\n                                            warns them that they are entering a       warning banner for initial end user\n                                            Government information system, and        connections.\n\n\n\n                                                                         63\n\x0cNo.   Control Objective                    Control Activity                           Test Procedure                             Results of Testing\n                                           are provided with appropriate privacy\n                                           and security notices to include\n                                           statements informing them that they\n                                           are subject to monitoring, recording\n                                           and auditing.\n43    Information and DoD                  DISA-Mechanicsburg                         DISA-Mechanicsburg                         Sensitive but unclassified\n      information systems that store,      Information on DoD systems that store,     Observed the DECC MECH data                personnel and payroll data\n      process, transmit, or display data   process, transit, or display data in any   center, including onsite tape storage      transmitted within DoD internal\n      in any form or format that is not    format that is not approved for public     areas, to confirm that labels indicating   networks was not encrypted;\n      approved for public release          release complies with DoD policy.          classification level were affixed to all   however, DCPS traffic\n      comply with requirements in                                                     computers and storage devices.             transmitted on non-DoD\n      policy and guidance documents        Access to all DoD information systems                                                 networks was encrypted.\n      and information in transit           is based on a demonstrated need-to-        Inquired with security personnel to\n      through a network at the same        know, and granted in accordance with       confirm that information in transit\n      classification level, but which      applicable laws and DoD 5200.2-R for       through the network was encrypted.\n      must be separated for need-to-       background investigations, special\n      know reasons, is encrypted, at a     access and IT position designations and    Inquired with security personnel to\n      minimum, with NIST-certified         requirements                               confirm the usage of a network\n      cryptography.                                                                   monitoring tool.\n44    Connections between DoD              DISA-Mechanicsburg                         DISA-Mechanicsburg                         The firewalls supporting the\n      enclaves and the Internet or other   Perimeter firewalls, routers, and          Inspected the system architecture to       access path to DCPS were no\n      public or commercial wide area       intrusion detection systems are            confirm that connections between DoD       longer supported by the vendor\n      networks require a DMZ and           implemented.                               enclaves and the Internet were             and, therefore, were not\n      boundary defense mechanisms to                                                  configured with a DMZ, and boundary        configured with rules. To\n      include firewalls and network        DoD information systems shall              defense mechanisms included firewalls      compensate for this lack of\n      IDS are deployed at the enclave      regulate remote access and access to       and network IDS were deployed at the       firewall rules, the routers\n      boundary.                            the Internet by employing positive         enclave boundary.                          supporting this access path were\n                                           technical controls such as proxy                                                      configured to deny all requests\n                                           services and screened subnets, also        Inspected system network diagram and       except for items included on\n                                           called DMZ, or through systems that        inquired with the SA to confirm that a     their access control list.\n                                           are isolated from all other DoD            DMZ and defense mechanisms were\n                                           information systems through physical       employed.\n                                           means.\n                                                                                      Observed the existence of firewalls and\n                                                                                      IDSs.\n45    Devices that display or output       DISA-Mechanicsburg                         DISA-Mechanicsburg                         No relevant exceptions noted\n      classified or sensitive              Devices that display or output             Observed that displays and printers\n      information in human-readable        classified information are labeled to      used for sensitive information were\n      form (monitors and printers) are     indicate whether classified information    positioned to deter unauthorized\n\n\n\n                                                                         64\n\x0cNo.   Control Objective                   Control Activity                          Test Procedure                              Results of Testing\n      positioned to deter unauthorized    can be displayed. All devices are         individuals from reading the\n      individuals from reading the        located in Approved Open Collateral       information.\n      information.                        Storage Areas. Access to these areas is\n                                          controlled.\n\n                                          DFAS-Pensacola                            DFAS-Pensacola\n                                          Access to systems containing sensitive    Observed that displays and printers\n                                          information display warning banners       used for sensitive information were\n                                          upon login to warn authorized users;      positioned to deter unauthorized\n                                          unauthorized users are denied while       individuals from reading the\n                                          attempting to login to the system.        information.\n\n                                          Individuals who print sensitive\n                                          information in human-readable form\n                                          have localized printers. Each user\n                                          outputting sensitive data in human\n                                          readable form is accountable for the\n                                          security in handling of that\n                                          information.\n46                                                                                                                              Control objective left\n                                                                                                                                intentionally blank\n47    DoD information systems             DISA-Mechanicsburg                        DISA-Mechanicsburg                          No relevant exceptions noted\n      comply with DoD ports,              DCPS-related ports, protocols, and        Confirmed though inquiry with DISA\n      protocols, and services guidance.   services are configured according to      personnel and observed the DCPS\n                                          DoD guidance.                             routers ACL that DCPS complied with\n                                                                                    DoD ports, protocols, and services\n                                                                                    guidance, including all ports, protocols,\n                                                                                    and services.\n\n                                                                                    Observed that ports, protocols, and\n                                                                                    services were identified and registered.\n\n                                                                                    Inspected the latest SRR report and\n                                                                                    remediation of findings of DCPS to\n                                                                                    confirm DISA was monitoring\n                                                                                    compliance with the DISA STIG.\n48    Binary or machine executable        DISA-Mechanicsburg                        DISA-Mechanicsburg                          No relevant exceptions noted\n      public domain software products     Public domain software products, and      Inspected a listing of software products\n      and other software products with    other software products with limited or   installed on the DCPS mainframe to\n\n\n                                                                       65\n\x0cNo.   Control Objective                  Control Activity                         Test Procedure                             Results of Testing\n      limited or no warranty are not     no warranty, such as those commonly      confirm DCPS does not have binary or\n      used in DoD information            known as freeware or shareware, shall    machine executable public domain\n      systems.                           only be used in DoD information          software and other software products\n                                         systems to meet compelling operational   with limited or no warranty installed on\n                                         requirements. Such products shall be     DCPS.\n                                         thoroughly assessed for risk and\n                                         accepted for use by the responsible\n                                         Designated Approving Authority.\n      Application Software\n      Development and Change\n      Control\n49    A system development life cycle    There is a defined configuration         DFAS-Pensacola                             No relevant exceptions noted\n      methodology (SDLC) has been        management (CM) process in place at      Inspected the Configuration\n      implemented and documented.        DFAS-Pensacola. The process is           Management Plan to confirm that it\n                                         documented in the SSAA under             was documented.\n                                         Appendix S \xe2\x80\x93 Change Management\n                                         Plan. Included in the plan are:\n                                         \xe2\x80\xa2 Formally documented CM roles,\n                                             responsibilities and procedures\n                                             including management of IA\n                                             information and documentation;\n                                         \xe2\x80\xa2 The detailed role of the CCB\n                                             including its roles for reviewing\n                                             and approving changes;\n                                         \xe2\x80\xa2 The testing process that all\n                                             changes must go through,\n                                             including the migration of the\n                                             change from the development\n                                             region to the testing region, and\n                                             the testing region to production;\n50    Authorizations for software        DFAS-Pensacola                           DFAS-Pensacola                             No relevant exceptions noted\n      modifications are documented       A Configuration Management Plan is       Inspected the full population of\n      and maintained. This should also   implemented for software                 modifications occurring during the\n      include emergency changes          modifications; contained in the DFAS     audit period to confirm they were\n                                         TSO Business Process Handbook.           supported by an approved SCR or\n                                                                                  Preliminary Technical Review\n                                         All modifications must go through the    authorized by the Program Manager\n                                         System Change Request (SCR) process      and/or Software Director, and\n                                                                                  supported by a Release Authorization\n\n\n                                                                     66\n\x0cNo.   Control Objective                     Control Activity                          Test Procedure                              Results of Testing\n                                            and receive proper approvals prior to     Report.\n                                            implementation, including emergency\n                                            changes made during business hours.\n                                            Emergency changes which arise during\n                                            non-business hours may be\n                                            implemented prior to SCR approval;\n                                            however, the change is run through the\n                                            SCR process at the start of the next\n                                            business day.\n51    Use of public domain and              DFAS-Pensacola                            DFAS-Pensacola                              No relevant exceptions noted\n      personal software is restricted.      Does not allow any use of public          Inspected public domain and personal\n                                            domain and/or personal software.          software policy to confirm that\n                                            DCPS is on the mainframe; all utilities   personal software restrictions were\n                                            needed are on the mainframe (which is     documented.\n                                            DISA-driven).\n                                                                                      Inspected a listing of installed software\n                                                                                      to confirm public and personal\n                                                                                      software was not installed on the DCPS\n                                                                                      system.\n52    Changes are controlled as             DFAS-Pensacola                            DFAS-Pensacola                              The appropriate test\n      programs progress through             Testing of changes follows the            Inspected the entire population of          documentation was provided for\n      testing to final approval to ensure   approved process outlined in the DFAS     50 modifications to the application         the three major quarterly\n      completeness, authorization,          TSO Business Process Handbook prior       software to confirm they were               releases. However, TSO was\n      software quality requirements         to implementation.                        supported by appropriate test and           unable to collect and distribute\n      and validation methods that are                                                 migration documentation such as             the appropriate test\n      focused on the minimization of        A Testing Deficiency Report is issued     System Test Plan, Detailed system           documentation for the\n      flawed or malformed software          for SCRs with negative test results and   specifications; and Unit, System and        remaining 47 interim releases\n      that can negatively impact            the TDR is routed to the appropriate      Acceptance testing results.                 during our audit fieldwork.\n      integrity or availability (e.g.,      individuals. If necessary, an                                                         Management indicated they\n      buffer overruns) are specified for    amendment is issued and processes         Inquired with DCPS security personnel       could not provide this\n      all software development              through same approval process as an       and confirmed they reviewed security-       documentation due to the\n      initiatives.                          SCR.                                      related changes included in DCPS            workload of TSO and the time\n                                                                                      Releases.                                   constraints of this audit.\n\n                                                                                      Observed release notes for all major\n                                                                                      DCPS production releases that\n                                                                                      occurred during the audit period to\n                                                                                      confirm release information was\n                                                                                      documented and communicated.\n\n\n\n                                                                         67\n\x0cNo.   Control Objective                  Control Activity                           Test Procedure                            Results of Testing\n53    Distribution and implementation    DFAS-Pensacola                             DFAS-Pensacola                            No relevant exceptions noted\n      of new or revised software is      Release Management staff are               Inspected the full population of\n      controlled.                        responsible for distribution or            50 modifications and confirmed that\n                                         implementation of new or revised           changes were supported by a Release\n                                         software.                                  Authorization Report.\n54    Programs are labeled and           DFAS-Pensacola                             DFAS-Pensacola                            No relevant exceptions noted\n      inventoried.                       Release Management staff is                Inspected the full population of\n                                         responsible for ensuring that all          50 modifications to confirm changes\n                                         programs are labeled and inventoried       were labeled, assigned an ID, and\n                                         within the appropriate library.            inventoried.\n55    Access to program libraries is     DFAS-Pensacola                             DFAS-Pensacola                            No relevant exceptions noted\n      restricted to appropriate          The System Administrator manages           Observed the procedures performed by\n      personnel to ensure that the       access rights to the program libraries     the DCPS Librarian to confirm\n      movement of programs and data      and databases through ACF2. The            development and production libraries\n      among libraries is controlled.     Database Administrator grants access       were controlled.\n                                         to the appropriate\n                                         development/production environments        Inspected the access control lists for\n                                         through IDMS. IDMS controls                the Production and Development\n                                         versioning in both the development and     libraries (directories) to confirm that\n                                         production environments.                   only authorized personnel had access.\n56    Acquisition or outsourcing of IT   DFAS-Pensacola                             DFAS-Pensacola                            No relevant exceptions noted\n      services explicitly addresses      The service level agreement between        Inspected the service level agreement\n      Government, service provider,      DFAS and DECC MECH explicitly              contract agreement to confirm it\n      and end user IA roles and          states IA roles and responsibilities for   addressed Government, service\n      responsibilities.                  both customer and service provider,        provider and end-user IA role and\n                                         \xe2\x80\x9cBusiness processes supported by           responsibilities.\n                                         private sector information systems and\n                                         outsourced information technologies\n                                         shall be reviewed and managed relative\n                                         to contributions to mission outcomes\n                                         and strategic goals and objectives, in\n                                         accordance with 40 U.S.C. Sections\n                                         1423 and 1451. Data shall be collected\n                                         to support reporting and IA\n                                         management activities across the\n                                         investment life cycle\xe2\x80\x9d\n57    The acquisition of all IA- and     DFAS-Pensacola                             DFAS-Pensacola                            No relevant exceptions noted\n      IA-enabled Government Off-the-     The SSO is responsible for reviewing       Inquired with security personnel to\n      Shelf (GOTS) IT products is        and approving all COTS IT products.        confirm they verified NSA evaluation\n\n\n\n                                                                       68\n\x0cNo.   Control Objective                  Control Activity                           Test Procedure                            Results of Testing\n      limited to products that have                                                 or conducted an evaluation in\n      been evaluated by the NSA or in                                               accordance with NSA approval for IA\n      accordance with NSA-approved                                                  related products.\n      processes.\n      System Software Controls\n58                                                                                                                            Control objective left\n                                                                                                                              intentionally blank\n59    Policies and techniques have       DISA-Mechanicsburg                         DISA-Mechanicsburg                        No relevant exceptions noted\n      been implemented for using and     Access to the system software is           Inquired with security personnel to\n      monitoring use of system           administered based on roles.               confirm root and other privileged\n      utilities.                                                                    access were restricted.\n\n                                                                                    Obtained the list of individuals with\n                                                                                    root and or privileged access and\n                                                                                    inquired with management that root\n                                                                                    and privileged access was appropriate\n                                                                                    and that the use of these accounts was\n                                                                                    logged.\n\n                                                                                    Inspected the policies and procedures\n                                                                                    for the monitoring of systems software\n                                                                                    and confirmed they exist and were\n                                                                                    current.\n\n                                                                                    Inspected a sample of the audit logs\n                                                                                    from the DCPS system to confirm that\n                                                                                    key personnel review the logs on a\n                                                                                    regular basis and that any issues noted\n                                                                                    were documented and researched.\n60    System software changes are        DISA-Mechanicsburg                         DISA-Mechanicsburg                        System software change testing\n      authorized, tested, and approved   Procedures addressing the testing of       Obtained and inspected the change         results were not required to be\n      and documented before              patches, upgrades, and new AIS             management policies and procedures        documented and maintained.\n      implementation.                    applications are documented. All           for systems software to confirm they      Therefore the audit team was\n                                         changes made at DECC MECH are              exist and were current.                   unable to verify that changes\n                                         captured in the Change Management                                                    were tested prior to movement\n                                         System (Change Management 2000).           Obtained a list of all DCPS system        into the production\n                                         Information included in each change        software modifications from October 1,    environment.\n                                         record is the requested time and date of   2004 through June 30, 2005 and\n                                         implementation, the action to occur,       selected a haphazard sample of            The charter for the local CCB\n\n\n\n                                                                       69\n\x0cNo.   Control Objective                 Control Activity                          Test Procedure                           Results of Testing\n                                        and justification of the action.          45 system software modifications.        was not approved.\n\n                                        All changes to information systems at     For each modification selected,\n                                        DECC MECH are brought before at           obtained the change request document\n                                        least one of two CCBs. DISA               and confirmed that it was approved by\n                                        headquarters has Executive software       key personnel prior to implementation.\n                                        CCB which is responsible for\n                                        reviewing all major system changes        Confirmed that each modification was\n                                        such as new versions, new software,       tested and the test results were\n                                        and the removal of software. There is     approved prior to the modification\n                                        also a local CCB at DECC MECH that        being implemented.\n                                        meets on a weekly basis. The local\n                                        CCB is responsible for reviewing all      Confirmed the modification was\n                                        operating system upgrades and fixes.      documented by inspecting the SCR,\n                                        The local CCB is also responsible for     System Test Plan; Detailed System\n                                        alerting the customer to the change and   Specifications; and Unit, System and\n                                        obtaining the customer approval before    Acceptance testing results.\n                                        proceeding. Also, the local CCB is\n                                        responsible for maintaining the change    Observed that there was a charter in\n                                        control records.                          place for the CCB.\n\n                                        The DISA Executive Software CCB\n                                        consists of representative of DISA\n                                        management as well as all the DISA-\n                                        DECCs. The DECC MECH local CCB\n                                        consists of all department heads and\n                                        the Information Assurance Manager.\n61    Good engineering practices with   DISA-Mechanicsburg Implemented            DISA-Mechanicsburg                       The firewalls supporting the\n      regards to the integrity          COTS software that scans incoming         Confirmed through inquiry that a         access path to DCPS were no\n      mechanisms of COTS, GOTS          and outgoing files to insure the          controlled interface was used for        longer supported by the vendor\n      and custom developed solutions    integrity of those files.                 interconnections among the DoD           and therefore were not\n      are implemented for incoming                                                information systems that were            configured with rules. To\n      and outgoing files.                                                         connected to DCPS.                       compensate for this lack of\n                                                                                                                           firewall rules, the routers\n                                                                                  Observed the existence of ACL, IDS,      supporting this access path were\n                                                                                  firewalls, encryption, and network       configured to deny all requests\n                                                                                  monitoring.                              except for items included on\n                                                                                                                           their access control list.\n                                                                                  Confirmed through corroborative\n\n\n\n                                                                       70\n\x0cNo.   Control Objective                Control Activity                        Test Procedure                              Results of Testing\n                                                                               inquiry that interface inputs were\n                                                                               automatically validated by the system\n                                                                               for missing information, format,\n                                                                               consistency and reasonableness.\n\n                                                                               Observed system batch files of\n                                                                               interface inputs for control totals and\n                                                                               line counts.\n      Segregation of Duties\n62    Incompatible duties have been    DFAS-Pensacola                          DFAS-Pensacola                              No relevant exceptions noted\n      identified and policies          Developed distinct system support       Inspected the organizational chart and\n      implemented to segregate these   functions to ensure there is adequate   the job descriptions for the positions at\n      duties.                          segregation of duties.                  DFAS-Pensacola in relation to DCPS\n                                                                               and confirmed that there was\n                                                                               appropriate segregation of duties and\n                                                                               that incompatible duties did not exist.\n\n                                                                               Inquired with management and\n                                                                               inspected the organizational chart to\n                                                                               confirm that distinct system support\n                                                                               functions were performed by different\n                                                                               individuals, including the following:\n\n                                                                               \xe2\x80\xa2   IS management,\n                                                                               \xe2\x80\xa2   System design,\n                                                                               \xe2\x80\xa2   Application programming,\n                                                                               \xe2\x80\xa2   Systems programming,\n                                                                               \xe2\x80\xa2   Quality assurance/testing,\n                                                                               \xe2\x80\xa2   Library management/change\n                                                                                   management,\n                                                                               \xe2\x80\xa2   Computer operations,\n                                                                               \xe2\x80\xa2   Production control and scheduling,\n                                                                               \xe2\x80\xa2   Data control,\n                                                                               \xe2\x80\xa2   Data security,\n                                                                               \xe2\x80\xa2   Data administration, and\n                                                                               \xe2\x80\xa2   Network Administration.\n\n\n\n\n                                                                     71\n\x0cNo.   Control Objective                    Control Activity                           Test Procedure                           Results of Testing\n63    System management job                DFAS-Pensacola                             DFAS-Pensacola                           No relevant exceptions noted\n      descriptions have been               Developed position descriptions for        Inspected the job descriptions for the\n      documented.                          distinct system support positions.         personnel who support DCPS.\n\n\n64    System management employees          DFAS-Pensacola                             DFAS-Pensacola                           No relevant exceptions noted\n      understand their duties and          Personnel receive and sign their           Selected a sample of employees and\n      responsibilities.                    position descriptions to confirm that      confirmed through inquiry that they\n                                           they are aware of their proposed duties.   understood their duties and\n                                                                                      responsibilities.\n\n                                                                                      Observed documentation and\n                                                                                      confirmed that employees had signed\n                                                                                      position descriptions.\n65    Management reviews                   DFAS-Pensacola                             DFAS-Pensacola TSO                       No relevant exceptions noted\n      effectiveness of control             Management will periodically review        Inspected the DCPS Systems Security\n      techniques.                          and update security policies and           Policy, Security Requirements, and\n                                           procedures.                                Certification Test and Evaluation Plan\n                                                                                      and Procedures to confirm that each\n                                                                                      was periodically updated.\n66    Formal procedures guide system       DFAS-Pensacola                             DFAS-Pensacola                           No relevant exceptions noted\n      management personnel in              Formal SOPs for personnel who              Inspected SOPs used by personnel for\n      performing their duties.             support DCPS.                              performance of their job duties in\n                                                                                      respect to DCPS\n67    Access procedures enforce the        DISA-Mechanicsburg and DFAS-               DISA-Mechanicsburg                       No relevant exceptions noted\n      principles of separation of duties   Pensacola                                  Inspected the access control policies\n      and \xe2\x80\x9cleast privilege.\xe2\x80\x9d               Privilege accounts are only used by        and procedures for compliance with the\n                                           DISA and DCPS personnel to                 principles of separation of duties and\n                                           create/modify/delete user accounts.        \xe2\x80\x9cleast privilege.\xe2\x80\x9d\n\n                                                                                      DFAS-Pensacola\n                                                                                      Inspected the access control policies\n                                                                                      and procedures for compliance with the\n                                                                                      principles of separation of duties and\n                                                                                      \xe2\x80\x9cleast privilege.\xe2\x80\x9d\n68                                                                                                                             Control objective left\n                                                                                                                               intentionally blank\n\n\n\n\n                                                                         72\n\x0cSection IV: Supplemental Information Provided by DFAS and\n                           DISA\n\n\n\n\n                           73\n\x0c\x0cIV. Supplemental Information Provided by DFAS and DISA\nIntroduction\n\nThis section has been prepared by DFAS and DISA and is included to provide user\norganizations with information DFAS and DISA believes will be of interest to such\norganizations; however, is not covered within the scope or control objectives established\nfor the SAS 70 review. Specifically included is a summary of procedures that DFAS and\nDISA have put into place to enable recovery from a disaster affecting either DFAS\nTSOPE or DECC MECH.\n\nThis information has not been subjected to the procedures applied to the\nexamination of the description of controls presented in Sections II and III of this\nreport, and accordingly, the DoD OIG expresses no opinion regarding the\ncompleteness and accuracy of this information.\n\nTSOPE Specific Business Continuity Plans\n\nThe DCPS production support Continuity of Operations Plan (COOP) provides an action\nplan to be implemented when there is a disaster or impending threat that would render\nDCPS production support inoperable (e.g., hurricane, damage to TSOPE facilities due to\nfire, etc.). This plan is evaluated and updated, accordingly, on an annual basis. If an\nimpending threat or event occurs, production support control for the DCPS production\nsupport is transferred to an alternate-processing site, currently defined to be the Defense\nAmmunition Center Huntsville, AL. Contained in the detailed COOP are names of\nDCPS staff members who will serve as a pool of resources to be mobilized to execute the\nplan and a list of documentation and supplies that are necessary to support the mobilized\nteam.\n\nTeam members are comprised of DCPS development staff members across many\ndivisions and branches. TSOPE designates two members of the management team to be\nresponsible for COOP execution. One is mobilized with the team and is responsible for\nteam activities and communication with TSOPE while deployed to the COOP recovery\nsite. The other serves as the team\xe2\x80\x99s liaison at TSOPE and is responsible to relay current\nstatus, current area weather conditions, and other pertinent information to the mobilized\nteam. The team is further divided into two teams, with each covering a 12-hour shift.\nTeam leaders are appointed for the respective shift teams. Each step included in planning\nand executing the COOP is coordinated with full cooperation and involvement by the\nDCPS project management staff. Although this plan works for any type of disaster where\nproduction support becomes inoperable, it has been executed several times in the past few\nyears during impending disastrous weather conditions, such as hurricanes.\n\nDECC MECH Business Continuity Plans\n\nTo accommodate a major disaster at any major DISA processing center, DISA has\nestablished the DISA Continuity and Test Facility at Slidell, LA. This facility is\nequipped with computational, Direct Access Storage Devices, and telecommunications\nresources sized to provide a fully functional host site with the capacity to support a major\ndisaster at any DISA processing center. The COOP support agreement between DFAS,\nas the customer, and DISA, as the provider of processing systems and communications\nservices, provides for restoring host site processing in the event of a major disaster and\nthe timely resolution of problems during other disruptions that adversely affect DCPS\n\n\n                                             75\n\x0cprocessing. The plan, as it relates to DCPS, details data restoration procedures for the\nMZF OS/390 operating system, the DCPS Integrated Database Management System, and\nrelated mid-tier servers and communication devices. Backup tapes containing the\nincremental daily and the complete weekly backups are rotated offsite to the Processing\nElement Chambersburg for storage on a predetermined schedule.\n\nThe Crisis Management Team at DECC MECH is responsible for declaring a disaster has\noccurred and initiating the Business Continuity Plan. The Crisis Management Team will\nthen activate the following response teams: Communications Team, Recovery\nCoordination Team, Site Recovery Team, and the Crisis Support Team. Each team has a\nspecific set of responsibilities defined in the Business Continuity Plan. The contact\ninformation for each individual on each team is also included in the Business Continuity\nPlan. The plan is required to be tested on an annual basis. TSOPE personnel participate\nin the yearly COOP test to ensure that the process works correctly and documentation is\nupdated appropriately.\n\n\n\n\n                                           76\n\x0cAcronyms and Abbreviations\n\n\nACF2        Access Control Facility 2\nACL         Access Control List\nAIS         Automated Information System\nCAC         Common Access Card\nCCB         Configuration Control Board\nCM          Configuration Management\nCMIS        Change Management Information System\nCOOP        Continuity of Operations Plan\nCOTS        Commercial off-the shelf\nCSR         Customer Service Representatives\nDAC         Discretionary Access Control\nDAPS        Defense Automated Printing Service\nDCPS        Defense Civilian Pay System\nDECC        Defense Enterprise Computing Center\nDECC MECH   Defense Enterprise Computing Center Mechanicsburg\nDFAS        Defense Finance and Accounting Service\nDISA        Defense Information Systems Agency\nDITSCAP     Department of Defense Information Technology Security\n            Certification and Accreditation Process\nDMI         Desktop Management Initiative\nDMZ         Demilitarized Zones\nDoD         Department of Defense\nDoDD        Department of Defense Directive\nDoDI        Department of Defense Instruction\nDOD OIG     Department of Defense Office of Inspector General\nDOE         Department of Energy\nDPL         Director\xe2\x80\x99s Policy Letter\nEOP         Executive Office of the President\nFSO         Field Security Operations\nGOTS        Government off \xe2\x80\x93the shelf\nHHS         Department of Health and Human Service\nIAVM        Information Assurance Vulnerability Management\nIA          Information Assurance\nID          Identification\nIP          Internet Protocol\nIDMS        Integrated Database Management System\nIDS         Intrusion Detection System\nISO         Information Security Officer\n\n\n\n                                 77\n\x0cISS       Information Security Scanner\nISSO      Information Systems Security Officer\nIT        Information Technology\nLAN       Local Area Network\nLPAR      Logical Partition\nM&CPS     Military & Civilian Pay Services\nMAC       Mission Assurance Category\nMOA       Memorandum of Agreement\nNIPRNET   Non-Classified Internet Protocol Router Network\nNIST      National Institute of Standards and Technology\nNSA       National Security Agency\nOIG       Office of the Inspector General\nOLQ       Online Queries\nOS        Operating System\nSA        System Administrator\nSAAR      Systems Access Authorization Request\nSCR       System Change Request\nSDLC      System Development Life Cycle\nSMC       System Management Center\nSMO       System Management Office\nSNA       Systems Network Architecture\nSOP       Standard Operating Procedures\nSRR       Security Readiness Review\nSRRDB     Security Readiness Review Database\nSSAA      System Security Authorization Agreement\nSSN       Social Security Number\nSSO       System Support Office\nSTIG      Security Technical Implementation Guide\nTASO      Terminal Area Security Officer\nTSO       Technology Services Organization\nTSOPE     Technology Services Engineering Organization in Pensacola\nTSP       Thrift Savings Plan\nVMS       Vulnerability Management System\nVPN       Virtual Private Network\n\n\n\n\n                                78\n\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, National Security Agency\nDirector, Defense Finance and Accounting Service\nInspector General, Defense Information Systems Agency\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\nGeneral Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and\nRanking Minority Members\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\n\n\n\n\n                                          79\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n   Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n   and the Census, Committee on Government Reform\n\n\n\n\n                                        80\n\x0cTeam Members\nThe Defense Financial Auditing Service, Department of Defense Office of\nInspector General, in conjunction with contract auditors from Acuity Consulting,\nInc., produced this report. Personnel from the Technical Assessment Division and\nQuantitative Methods Division, Department of Defense Office of Inspector\nGeneral, also contributed to the report.\n\nPaul J. Granetto\nPatricia A. Marsh\nAddie M. Beima\nMichael Perkins\nKenneth H. Stavenjord\nFrank C. Sonsini\nSean J. Keaney\nAnh H. Tran\nCharles S. Dekle\nErnest G. Fine\nTravis R. Schenck\nMary A. Hoover\nJoey S. Sparks\nNicholas Drotar, Jr\nAlberto J. Calimano-Colon\nJennifer K. Thorson\n\x0c"